MagnoliaJS is the premier web development conference hosted in the capitol city of Mississippi at the Mississippi Museum of Art downtown. With all the stories of Mississippi as a failing state, it is important to recognize MagnoliaJS as an opportunity for people in the web industry to learn about the state from its storied museums. The art museum in particular is an excellent community center and venue for this conference, as well as being rich with catering options from close by!
I won’t lie: the food is a big draw. There’s great food in Jackson and MagnoliaJS is a great chance for it to be showcased in front of a national (sometimes global) audience.
Another, more personal reason is that the conference organizers are friends of mine who I want to support. The conference is also quite emphatic about accessibility and inclusion as themes and as a policy, so everything from the registration process to attendance is demonstrative of these values. MagnoliaJS will begin on Tuesday, October 17, with a talk on accessibility and neurodiversity from Homer Gaines. I’m also looking forward to a live coding session from Karl Groves demonstrating accessibilty principles in JavaScript.
My primary goal is to listen and learn about the varied perspectives in the web industry. While there will be some JavaScript covered at the conference, there are a number of other topics that may shed light on a different way of thinking, so I am approaching with an open mind.
I am always willing to take the time to listen to story tellers in Mississippi spaces. I come away from these types of interactions inspired and motivated, and this usually takes a direct impact through the leadership decisions I make.
If you would like to purchase tickets for MagnoliaJS please use the button below for a 15% discount!
Get Tickets for Magnolia JS 2023
Too many organizations employ outmoded policies related to passwords that have been shown to be ineffective in providing security, namely, the requirement to change a memorized token on a regular periodic basis. I would like to present here various references which demonstrate that the industry standards have evolved in the last decade and do not require users to change a memorized token on a regular basis. It is best practice to require a changed password when credentials are found in other systems (I know of some orgs that use the haveibeenpwned API to provide intelligence when credentials are found on the dark web) but expiry should not be required until there is evidence a compromise has occurred.
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Requirements set in the Payment Card Industry Data Security Standards state that passwords should only be changed on a regular 90-day basis, if it is the only authentication method available (Section 8.3.9). A stronger security posture is to require multi-factor authentication to access secure systems.
Lorrie Cranor, ACM and IEEE fellow & Chief Technologist at FTC (2016-2017), wrote an article that makes the point of this blog post: mandatory password changes should be reconsidered. Compellingly, she details research that has demonstrated “[an] attacker who knows the previous password and has access to the hashed password file (generally because they stole it) and can carry out an offline attack can guess the current password for 41% of accounts within 3 seconds per account (on a typical 2009 research computer). These results suggest that after a mandated password change, attackers who have previously learned a user’s password may be able to guess the user’s new password fairly easily.”
Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.
Password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers that are closely related to each other. In these cases, the next password can be predicted based on the previous password. Password expiration requirements offer no containment benefits because cybercriminals almost always use credentials as soon as they compromise them.
In a research article, the Microsoft Identity Protection Team identifies password expiry as an “anti-pattern” (a practice which is believed to solve a problem but in fact does not).
Mandated password changes are a long-standing security practice, but current research strongly indicates that password expiration has a negative effect. Experiments have shown that users do not choose a new independent password; rather, they choose an update of the old one. There is evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with and then change them in predictable ways that attackers can guess easily.
One study at the University of North Carolina found that 17% of new passwords could be guessed given the old one in at most 5 tries, and almost 50% in a few seconds of un-throttled guessing. Furthermore, cyber criminals generally exploit stolen passwords immediately.
“I remember we had a motto to get MFA everywhere, in hindsight that was the right security goal but the wrong approach. Make this about the user outcome, so transition to “we want to eliminate passwords”. But the words you use matter. It turned out that simple language shift changed the culture and the view of what we were trying to accomplish. More importantly, it changed our design and what we built, like Windows Hello for business,” he says.
“If I eliminate passwords and use any form of biometrics, it’s much faster and the experience is so much better.”
Microsoft is moving towards a hybrid mode of work and, to support that shift, it’s making a push towards a Zero Trust network design, which assumes the network has been breached, that the network extends beyond the corporate firewall, and caters to BYOD devices that could be used at home for work or at work for personal communications.
[1] NIST 800-63B Section 5.1.1.2 Memorized Secret Verifiers
[3] FTC Time to rethink mandatory password changes
[4] Microsoft Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903
[5] Microsoft Password policy recommendations for Microsoft 365 passwords
[6] Microsoft Password Guidance
[7] Microsoft’s CISO: Why we’re trying to banish passwords forever