topic Re: Dustin Got It Right in Tech Talk https://community.isc2.org/t5/Tech-Talk/Dustin-Got-It-Right/m-p/30311#M1972 <P>Without quoting Randall Munroe's sublime password demystifying cartoon myself (I'll let <A href="https://gizmodo.com/the-guy-who-invented-those-annoying-password-rules-now-1797643987" target="_blank" rel="noopener">this Gizmodo article</A> do that for me!), I remember reading how a retired NIST bureaucrat admitted that he wrote bad password creation guidance -- but only after he left his role.<BR /><BR />Maybe at some point, someone will revise 800-63 Appendix A by appending it to say "or just use a thirty character passphrase, and at least *consider* adding MFA."</P> Mon, 02 Dec 2019 00:11:49 GMT ericgeater 2019-12-02T00:11:49Z Dustin Got It Right https://community.isc2.org/t5/Tech-Talk/Dustin-Got-It-Right/m-p/30293#M1970 <P>Dustin's 12/1/2019 Sunday Comic got two things right in a commentary on passwords:</P><P><A href="https://www.comicskingdom.com/shared_comics/2e258750-c12c-4c5c-8928-e4bea6bee071" target="_blank" rel="noopener"><SPAN>https://www.comicskingdom.com/shared_comics/2e258750-c12c-4c5c-8928-e4bea6bee071</SPAN></A></P><P>&nbsp;</P><P><SPAN>1. Treating all passwords as if they are protecting the same level of highly sensitive information or extreme risk is silly.</SPAN></P><P><SPAN>2.&nbsp;Continuing the broadly enforced &nbsp;<A href="https://doi.org/10.6028/NIST.SP.800-63b" target="_blank" rel="noopener">out of date password&nbsp;complexity and refresh rules</A> is not only cumbersome, but stupid.</SPAN></P><P>&nbsp;</P><P><SPAN>Craig</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Sun, 01 Dec 2019 14:03:56 GMT https://community.isc2.org/t5/Tech-Talk/Dustin-Got-It-Right/m-p/30293#M1970 CraginS 2019-12-01T14:03:56Z Re: Dustin Got It Right https://community.isc2.org/t5/Tech-Talk/Dustin-Got-It-Right/m-p/30311#M1972 <P>Without quoting Randall Munroe's sublime password demystifying cartoon myself (I'll let <A href="https://gizmodo.com/the-guy-who-invented-those-annoying-password-rules-now-1797643987" target="_blank" rel="noopener">this Gizmodo article</A> do that for me!), I remember reading how a retired NIST bureaucrat admitted that he wrote bad password creation guidance -- but only after he left his role.<BR /><BR />Maybe at some point, someone will revise 800-63 Appendix A by appending it to say "or just use a thirty character passphrase, and at least *consider* adding MFA."</P> Mon, 02 Dec 2019 00:11:49 GMT https://community.isc2.org/t5/Tech-Talk/Dustin-Got-It-Right/m-p/30311#M1972 ericgeater 2019-12-02T00:11:49Z