Let's Expire Password Expiry

Too many organizations employ outmoded policies related to passwords that have been shown to be ineffective in providing security, namely, the requirement to change a memorized token on a regular periodic basis. I would like to present here various references which demonstrate that the industry standards have evolved in the last decade and do not require users to change a memorized token on a regular basis. It is best practice to require a changed password when credentials are found in other systems (I know of some orgs that use the haveibeenpwned API to provide intelligence when credentials are found on the dark web) but expiry should not be required until there is evidence a compromise has occurred.

Key paragraph from NIST Digital Identity Guidelines¹

PCI DSS password requirements²

Requirements set in the Payment Card Industry Data Security Standards state that passwords should only be changed on a regular 90-day basis, if it is the only authentication method available (Section 8.3.9). A stronger security posture is to require multi-factor authentication to access secure systems.

FTC persuasive article against mandatory password changes³

Lorrie Cranor, ACM and IEEE fellow & Chief Technologist at FTC (2016-2017), wrote an article that makes the point of this blog post: mandatory password changes should be reconsidered. Compellingly, she details research that has demonstrated “[an] attacker who knows the previous password and has access to the hashed password file (generally because they stole it) and can carry out an offline attack can guess the current password for 41% of accounts within 3 seconds per account (on a typical 2009 research computer). These results suggest that after a mandated password change, attackers who have previously learned a user’s password may be able to guess the user’s new password fairly easily.”

Three different Microsoft articles make the case

Microsoft Security removed password expiration in v1903 of Windows 10 and Windows Server⁴

Microsoft 365 password policy reccommendations⁵

Robyn Hicock, Microsoft Identity Protection Team⁶

In a research article, the Microsoft Identity Protection Team identifies password expiry as an “anti-pattern” (a practice which is believed to solve a problem but in fact does not).

Microsoft CISO says the future is passwordless⁷

Microsoft is moving towards a hybrid mode of work and, to support that shift, it’s making a push towards a Zero Trust network design, which assumes the network has been breached, that the network extends beyond the corporate firewall, and caters to BYOD devices that could be used at home for work or at work for personal communications.

References

[1] NIST 800-63B Section 5.1.1.2 Memorized Secret Verifiers

[2] PCI-DSS 4.0 Section 8.3.9

[3] FTC Time to rethink mandatory password changes

[4] Microsoft Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903

[5] Microsoft Password policy recommendations for Microsoft 365 passwords

[6] Microsoft Password Guidance

[7] Microsoft’s CISO: Why we’re trying to banish passwords forever

Authored by Michael Lamb.
Published on 12 August 2023.

Category: Social

JXN Film Club - PODCAST REVIVAL

As a film lover in Jackson, I’ve felt compelled to identify the people in my life who love talking about movies. A few years ago, the thought had crossed my mind to start a film club and try to create some community around this shared love. I asked some friends and started organizing events, and eventually was approached about starting a podcast. That’s the brief history of Jackson Film Club (aka jxnfilmclub or JXN Film Club).

When The Fairview Sound studio was located in Belhaven, I worked with Brennan White to release 2 seasons of podcast content under the banner JXN Film Club The Podcast. My co-host was Sam Graef, a current film student at Belhaven University and co-founder of Escape the Wolf Productions. Both Brennan and Sam have moved on to other phases of life and so I am going to do something new to continue this podcasting project on my own.

If you’ve never listened to the podcast before, here’s the last episode we recorded with Brennan, featuring Brennan! It’s a great introduction to our style.

Are you on Discord

There is a chat and social app called Discord which was initially created for the gaming community. If you’ve ever used Slack or IRC, you’re going to be familiar with the channel structure of Discord Servers. I have owned and maintained a personal Discord I use for development since 2017. You can join my server using the widget under my bio on this page.

Moving forward starting with Season 3, all episodes will be generated from recorded conversations taking place on Discord. This will enable a regular schedule since guests will be completely remote. This does require that guests are registered Discord users and have access to a camera and microphone. The great part is that the Discord app lets users use the camera and most people who have a smart phone have earbuds or headphones. All the recording logistics are handled seamlessly and the only thing guests will have to do is join a voice channel at an agreed upon time.

Topics

Previously, we collaborated with our guests to come up with general topics we could have some freeform discussion about. I don’t know how well this really worked as far as exploring intellectual takes on films or the film industry, but I had fun doing it.

In addition to topics, we had a throughline of Top 20 episodes. These conversations focused on a guest’s Top 20 favorite movies, a list they compiled ahead of time. I’ve collected all of the lists we turned into episodes on my Letterboxd. I’ll continue to catalogue JXN Film Club podcast content on Letterboxd as is appropriate.

Considering that Seasons 1 and 2 were primarily recorded in the living room studio of The Fairview Sound, the conversational nature of our topics relied a lot on in-person chemistry. I’m not concerned that chemistry won’t be possible using Discord but I do believe it will feel very different. I look forward to exploring the challenges to recording a podcast using this digital platform.

Be Our Guest

So far we’ve had lots of interesting local guests, but I am excited about the potential of opening the podcast to feature guests from anywhere in the world! If you think you’re up for the task and want to learn more about the podcast recording schedule, please respond to the form below!

Authored by Michael Lamb.
Published on 12 July 2023.

Category: Social

Wearable Tech and Telehealth

Years ago, I was a contributor for the student newspaper The Reflector at Mississippi State University. I published articles under news, opinion, and life categories. In one particular opinion article (pdf) originally published in September, 2014, I am found invoking the famous “Websters Dictionary defines…” to discuss the innovation of the Apple Watch. My opinion in the article was that the watch was fashion, and that Apple would fail miserably, and here I am now eating crow.

As I write, I’m wearing an Apple Watch. It’s only my second device in 6 years and I can say it has definitely changed my relationship to technology in ways I didn’t anticipate. More on that later.

Telehealth and wearables

In 2021, my colleague Jack Mazza completed an honors thesis in which he surveyed the future of wearable technology in telehealth. His work included building a sample app and generating data using his own wearable and canvassing healthcare professionals at University of Mississippi Medical Center in Jackson. His proof-of-concept app demonstrated to Jack the various data his own wearable offered him, and his survey questions reflected a perspective of telehealth and wearable data that is well-rounded. You can read his findings for yourself by reviewing his thesis (pdf), and here’s a quick quote that will convince you it’s worth 5 minutes of your time:

In general, Jack’s main question was about whether wearable data was considered trustworthy by medical professionals. The findings are generally optimistic about wearable tech and its impact on simplifying communications between doctors and patients.

My experience with wearable tech

My first Apple Watch was a Series 3, which I believe was the first time the product was offered with cellular. I managed to keep that device for over 2 years before I upgraded to a Series 6. Not only have the devices withstood my normal traffic, I was able to sell my first watch on the cheap.

One of the first things I realized when I started wearing an Apple Watch was that I received way too many push notifications. Since then, nearly everything is silenced except for text messages and phone calls. The watch had replaced the buzzing in my pocket and made me more concious of how often my phone distracts me.

The health tracking features of the Apple Watch are primarily what Jack’s thesis explored and I can attest to their own usefulness in my life. It has been an infrequent occurrence but I have experienced occasional panic attacks. The meditation feature on the watch helped me practically by giving me an activity I could focus on to calm down during some attacks, as well as giving me biometric feedback by showing my heart rate was lowering over time.

I haven’t needed to share the data with any doctors yet but every now and then I make use of the ECG feature introduced in the Series 6 to graph my heart rate.

Conclusion

Wearable tech and telehealth should be adopted in areas with low access.

michaellamb.dev announcements

I will be hosting a podcast session for jxnfilmclub in my dev Discord server on July 12

Anyone is welcome to join the conversation, just reach out to me on my server or by DM for more details

C Spire Gaming will be hosting Community Game Night on July 20

Zack Sistrunk will be looking for a squad in Planetside 2 on PC Watch on Twitch or join in on Discord

I’m on Threads

New Song Recommendation

Authored by Michael Lamb.
Published on 07 July 2023.

Tags: feature

An overview of LinkStack

I use LinkStack as an app at link.michaellamb.dev and have added it to my social media pages as a link dashboard. I often share the link to the app with new contacts to give them all the options to connect with me. There are even a few other users on my LinkStack with their own pages as the app has an admin feature and a registration toggle (disabled by default). My instance of LinkStack is running in the Raspberry Pi cluster¹ I have documented in the past².

LinkStack is an open source project which solves link sharing and management of shared links. It offers a customizable page like Linktree, but with so much more opportunity and freedom – as long as you’re comfortable starting a Docker container!

I trust the project’s documentation on GitHub and recommend using that to determine how you might want to add this free and available resource to your web properties.

LinkStack vs. Linktree

Features

Linktree is a very quick and simple solution for creating a list of links with customizable buttons, colors, and backgrounds but its features are limited. Linktree intentionally limits these features to ensure only the most user-friendly experience is possible on their platform. When compared to LinkStack, Linktree has no feature that comes close to the Themes offered by default with new instances of a LinkStack app. Custom Themes in LinkStack gives users the ability to design their page exactly how they like it.

Hosting

LinkStack offers a robust platform with the option to host yourself or host on their servers. Self-hosting a LinkStack app is straightforward and can happen in a few clicks. LinkStack’s inspiration is to empower data ownership among individuals and groups who need a reliable and autonomous solution for sharing links. Alternatively, you may find using a hosted instance might be right for you. The LinkStack org provides low-cost hosting in addition to their community instance program which anyone can use for free.

Linktree isn’t a project, it’s a product. Their pricing model is a higher premium than LinkStack’s.

Support

Because it is an open source project, LinkStack offers community support on Mastodon and Discord.

Developer Contribution Guide

LinkStack is written in PHP with the Laravel framework. Developers may contribute bug reports, code discussions, code fixes, and new features. The Discord server is where communication around this work takes place. The maintainers use GitHub Flow as an integration strategy.

Authored by Michael Lamb.
Published on 07 June 2023.

Category: Social

Leadership Greater Jackson - Reflection

Leadership Greater Jackson

In January 2023, I started a community-oriented leadership program called Leadership Greater Jackson based in Jackson, MS. The program introduced me to community leaders across the city, county, and state, and helped create and shape new relationships with other members of this 35th cohort of the program. A number of my colleagues at C Spire have gone through this program and after chatting with them I decided to apply and was lucky enough to be invited!

This post is intended to highlight my experiences, as well as serve as an open invitation to my fellow Leadership members to stay in touch by joining my dev Discord. LGJ35 members should send me a direct message on Discord @michaellambgelo to receive the official @LGJ35 role.

Closing Retreat

Here’s the last Instagram post commemorating our closing retreat. We spent the morning at the Mississippi Museum of Art before enjoying lunch at the Capital Club. Then we enjoyed an afternoon of fellowship, offering reflection on our time together. A small group joined us for a short walking tour where we heard about the history of Jackson from John Spann. At the end of the day, we celebrated with a rooftop after party!

The first post

I started this program with no prior relationships with anyone else in the cohort. I have since established some solid relationships and created a number of acquaintances such that my local network is significantly enriched. Here’s my first post featuring Akilah and Randy!

Cultural Differences Retreat

Most of our class days were spent in Jackson but this post features photos from a weekend retreat in Tupelo, MS.

Criminal and Civil Justice and the Law

This particular day was difficult because the controversial bill HB 1020 was being debated in the state legislature. HB 1020 expands a state police force within the city limits of Jackson and establishes an unconstitutional, unelected judicial district. The bill was signed into law by the governor in April.

State and Local Government

Again, this day had some challenges because of the contents of HB 1020 as well as some other differences but one of the things was was amazing about LGJ35 was how we used these opportunities to push ourselves into some stretching, necessary conversations.

Healthy Food Day

Our cohort split into different groups to organize some fun, educational events in an inner city community. Healthy Food day found us potting chard, making veggie tacos, and sauteeing collard greens.

Health and Human Needs

The Jackson Medical Mall is a revitalization of Jackson’s first commercial mall. It was reimagined as a place for community services. Check out the Instagram post for more! I was certainly surprised by everything offered there.

Quality of Life

Quality of life was an important theme to consider in the context of the city of Jackson. We spent a lot of time learning about the cultural and art experiences offered by the city’s museums and arts districts, Fondren and Belhaven.

Authored by Michael Lamb.
Published on 30 May 2023.

Tags: life-update

Page: 3 of 9

About michaellamb.dev

Michael Lamb is a software engineer working at C Spire. If you have a blog-specific inquiry please create a new issue on GitHub. Feel free to fork this blog and build your own!

Get to know who I am in my first post Hello, World!