wlet

Please share this far and wide. As far and wide as you can. NIST Password Guidelines for 2024 are in the process of being updated. This is a HUGE pet-peeve of mine (when vendors in particular are still operating like its 2017 and keep changing passwords every 60 days, STOP DOING THIS, it's outdated and has been shown to put you MORE at risk than less -- NIST explains why it does in this document, meticulously outlining user behavior**) so I'm sharing this in the hopes all of you will pass it along to your bosses. The Special Publication series governing passwords is SP 800-63 "Digital Identity Guidelines". The 2024 version is 800-63-4. Here: https://t.co/oX8YEJHxXg The companion docs are also on that link. They are 800-63A, 800-63B and 800-63C. These are different documents for different scenarios in play at your org. The previous update was in2020. The changes in the 2020 version from the 2017 version were numerous but one of them was that the password verification method should NO LONGER require passwords be changed at specific intervals (i.e. every 60 days) but in the following circumstances instead: 1. After a breach/compromise 2. User request 2024 repeats this and adds a bunch more guidlines but here is a screenshot of page 13 of the new 800-63-4 (note the # 4 after it) which outlines how your systems should now and moving forward, be handling passwords. This goes for Active Directory, too. All your systems which have passwords should align with these guidelines provided there isn't another standard or framework you must adhere to which overrules this. Most frameworks, however, have moved away from arbitrary password resets and complexity rules. **We cybersec researchers and hackers use wordlists from breaches in a variety of different ways. Hackers use them in tooling to crack passwords whereas researchers use breach dumps to see the kinds of passwords users are creating and the psychology behind them. Using complexity rules gets you the user psychology of: Password1 Password2 and so on Use phrasing instead and allow for spaces, which is important. Humans type phrases with spaces. They also mention phish-resistant methods and most vendors are on-board with MS going to be turning off all Legacy Auth next month, across all free accounts and tenancies. I'm so excited for the new changes! Ok I'm off my soapbox. Share the love! Thank you!

This is the Corvette that Windows zip folders bought. Back in '93 or so, I was working at Microsoft on COM, and at home for fun I started writing a shell extension to browse zip folders in the new Win95 user interface, making them appear as if they were just folders. That grew into a shareware product call VisualZIP. Then one day just before heading into work, I got a call from a lady at Microsoft. She wanted to know if I was the Dave Plummer who wrote VisualZIP, and long story short, they wanted to buy it, and could I come in to talk about it at some point? I said "Sure, what's your office number, I'll stop by!" and it kinda freaked her out. She said "No, no, we'd have to coordinate with travel and legal..." but I was confused as to why I'd need to book travel to talk to someone where I already worked! And THEN I figured it out. She didn't know that I already worked for Microsoft, and I didn't know that she didn't know. So that was a bit awkward. But we worked it out. In the end, my choices were pretty limited - either quit my day job and compete with Microsoft, or do what I wound up doing instead: cheerfully accepting their first, best, and only offer. So that's what I did! I accpepted their offer, paid the taxes on it, and bought a lightly used red 1994 Corvette LT1. There wasn't much left over. So next time you open a zip file on Windows, think of my car :-) If you've ever wondered why the zip support is so slow today, there are two main reasons: first, being 25+ year old code, it's single threaded. It doesn't matter how many CPU cores you have, it only uses one. Second, because of the way the shell used to work, you couldn't just hand it the contents of a file, you had to give it a local file path as the source. So the code first extracts the file to a temporary location, hands that location to the shell, and the shell copies the file. In other words, there's an extra temp copy operation involved in every operation. That *could* be fixed, but I imagine the sense is that anyone who's hardcore about their zip performance or feature set will likely be using 7-Zip or WinRAR, etc. I don't see them improving it any time soon, but they have added more compression formats like RAR to the mix, so you never know. If you enjoy these random nostalgic looks back, follow me for more! And heck, if you made it this far, you might as well share it too :-)