Posts by hitchslap

Just checked.

I literally do have more passwords than underpants...or as we say in Scotland....undies pronounced "undees"

Conflicting Advice

So the advice from the NCSC above does have a point...however it also misses a lot.

I get it....strong passwords changed frequently is a pain, causes disruption etc etc. But there is a school of thought that writing complex and hard to remember passwords down can be a good thing in certain circumstances. https://www.schneier.com/blog/archives/2005/06/write_down_your.html

I know of one very large company now advocating the writing down of passwords.

Also moving away from a preventative to a detective control is a risky business and always makes me feel uncomfortable. Is your organisation capable of reacting to such detected anomalies? I'll bet it's not nearly as good as you'd like to think it is.

This advice does add something to the conversation but will likely be abused as there are so many other considerations that people won't take into account when deciding to bin their password reset policy.

Like all security controls...it's a pick and mix to overlap controls that are workable for the user, get the organisation into a compliant state and within it's risk appetite.

Poor show NCSC that shows a lack of real world experience.

Congratulations Equifax......You blame the very people who have, in all likelihood, been pressuring for more frequent security patching as well as other changes. This is why being a CISO is truly a terrible job. If you do it well nothing happens and it's BAU. But you are viewed as not making any money for the company, or bringing in more customers...in fact all you do is spend money and slow up project delivery. A CISO is always seen as a major thorn BUT the minute something goes bang all the eyes turn to the CISO....he or she is then screwed, and the most laughable part is that they are often not on the board (despite the C tag) and they are certainly earning far less than other C-Level execs.