Is It Time to Update Password Policies?
With recent breaches, there is talk that password policies (and security in general) are in need of updates. Specifically, the trend to tie together accounts needs to be changed, and the answers provided along with security questions need to be re-thought.
There have been several articles of late recommending that, first, you unlink accounts. This is because if someone breaches one system, they could have automatic access to others. Linked accounts can give someone access to far more than just the breached system.
The other suggestion I saw that made a lot of sense was the suggestion that you not answer those security questions with answers that make sense… say what? The theory is that so many of the answers you could provide can be gleaned from other sources. High school you attended? Home town? Mother’s maiden name? Facebook is a great source for these, pet names and much more. Answering "Mother’s maiden name?" with the address of your first home is a more secure solution.
Of course you have to remember those answers…
Is it time to update password and security policies and start educating your user base? I think so. Password managers help so that you can have completely meaningless passwords and still remember them. But all-in-all, it’s time to really re-think what we suggest for security.
What do you think? Are you updating your security policies? Let me know…