Lisa Vaas, Senior Content Marketing Manager, Contrast Security
Lisa Vaas is a content machine, having spent years producing reports and analysis on information security and other flavors of technology. She now keeps content engines running to help keep secure code flowing at Contrast Security.
Subscribe to the Contrast blog
By subscribing to our blog, you’ll stay up to date with all the latest appsec news and devops best practices. You’ll also hear about the latest Contrast product news and exciting application security events.
Are you still using “MrFluff” as your password? Maybe mixed in with a little Leet-speak – say, “MrFl0ff” – to confuse all those hackers who want to vacuum your 401K plan?
Well, today is the first Thursday in May, and that means it’s world password day. It’s time to celebrate! You can do this by removing “MrFl0ff” and replacing it with a password longer and stronger than a pet’s name (still a subset of the world’s most hacked passwords, studies have found). Contrast Security experts also suggest enabling multi-factor authentication (MFA) for large accounts, which would give MrFluff a new name that is much harder to decipher – like, for example, *6fjI5%4&crkN.
We asked Contrasters for more advice on what developers and businesses should know about password policies: Read on!
“How many passwords did you force yourself to remember?” How many versions of the same password (eg Password1, Password12, Password1!) do you use? A password manager will make your life easier and allow you to create and store passwords securely, and at the same time, you will never even have to know what those passwords are. Get a password manager today.
Forced password expiration is one of the most common security requirements that I still see used in organizations. NIST has explicitly stated for four years now (SP 800-63B Section 126.96.36.199) that stored secrets should not be forced to change arbitrarily and only force a change if there is evidence of compromise. If you make a change to your password policy, remove this arbitrary requirement. »
—David Lindner, CISO
“Companies should develop and implement password policies based on research — not intuition, folklore, and anecdote. If you did, you would have stopped arbitrary password rotation. password over a decade ago and you would now have given up special character requirements in exchange for longer passwords and using passphrases (without special characters).These passwords are easy to remember and often more fast to type, which provides a better user experience while securing user accounts CyLab has created a great password research piece.”
—Larry Maccherone, DevSecOps Transformation
“Any time a business user depends on a password to access a service, your IT team has failed their job. Updating practices to include modern identity management technologies means your users no longer have to remember passwords and criminals gain nothing by stealing them, which is why it is absolutely essential to enforce a company-wide policy of using a password manager. passwords and mandating multi-factor authentication (MFA) Even if a user is successfully phished for a password, your data remains safe.
—Steve Wilson, Product Manager
“I look forward to the day when there will be no more ‘password’ days to celebrate. Modern identity technology is already poised to end this practice. »
—Adam Schaal, Director of Corporate Security
“There are plenty of easy-to-use, free password managers out there! They help create and store secure passwords, so people don’t have to worry about managing passwords or attackers stealing them. »
—Ankur Papneja, Product Manager