"Password expiration requirements do more harm than good, because these requirements make users select predictable passwords"
Thank you Microsoft. NIST agrees. Everyone who attacks password auth agrees. Can we get compliance to update their requirements.
https://t.co/8nZszqKUBC
@laneichy The Listeners by Walter de la Mare is just the right blend of thought-provoking and lightly spooky imo ๐ Also High Flight by John Gillespie Magee Jr (less spooky unless you're scared of heights) ๐ฉ๏ธ
@Xerxel@CommieGIR@janewakefield@what3words@cybergibbons refuse.housework.homebound is in Australia, changing the last word to housebound puts you in Belarus. Seems like a simple mistake that could have been introduced at any point as this article took shape.
@TychoTithonus @m33x It would be able to answer for you, under certain assumptions "Would it be better to use blacklist A or blacklist B against an adversary attempting to guess more common passwords first?" In this way, it's really for admins rather than users.
@m33x Seriously cool, and with real finesse on the Lego setup! We've thought about applying Skeptic to PINs, so I have my reading for tonight. Would be an interesting one! cc: @jff@asfmendes
@m33x Exactly right regarding Patrick's note, rather than just filtering the passwords, applying best/worst/average case password reselection behaviours (with the possibility of plugging in more) gives us a more representative picture from what we've seen so far.
@m33x Thank you so much! :) I would suggest proportional reselection for making the case to IT. I think it's the most representative mode at the moment.
@m33x Ooh, my time to shine (maybe?), we built a system for automatically ranking password composition policies given assumptions about user password reselection behaviour. It'll be at ASIACCS 2020, here's the preprint: https://t.co/bdYaUHjzCk
While this might have nothing to do with the latest "sophisticated cyberattack" that you came under @easyJet, I sent you an e-mail and several DMs about this and absolutely nothing was done. I can't help but wonder, were there similar warnings this time?
@easyJet Remember when I got in touch *last November* to let you know about this page being served insecurely? Still not fixed. These are the absolute basics. hxxp://www.easyjet.com/en/cheap-flights/
Sign in link up top there too, for anyone to fiddle with that happens to be sitting between the user and your server. Honestly really frustrating. @troyhunt wrote on this all the way back in 2017. https://t.co/nnGgRBL6n8
@poundlandpam Nah because imagine putting the entire surface area of the bottom of your foot into direct contact with a freezing cold floor no thank you.