undefined | Better HN

0 pointsmeindnoch2y ago0 comments

Forced password updates are a bad thing.

If your company does forced password updates, they are not following the NIST recommendation: https://pages.nist.gov/800-63-FAQ/#q-b05

If your company is not following the NIST recommendation, they are incompetent, and will be held liable in case of a breach.

0 comments

ixwt2y ago

The company I work for had a ransomware issue, so they got more zealous about security.

They require us to change our passwords every 45 days now. When I pointed out the NIST recommendations of not rotating passwords, they say they are following the guidance of the response team that helped them recover from the ransomware. And that the NIST doesn't actually deal with the real world.

b1122y ago

If your company is not following the NIST recommendation, they are incompetent, and will be held liable in case of a breach

This is a stretch. Liable? Please show the case law, or the legislation.

(My statement has no relevance to the validity of NIST's recommendations)

bluGill2y ago

Not directly. However NIST is admissible in court and so if someone sues there is now evidence that they should have known better.

b1122y ago

Anything is admissible in court, the judge merely has to allow it.

There are 1000s of such organizations, and many conflict with each other.

My point is, it's inaccurate to say you are liable for not following NIST. I could easily say you could be liable, for not following me.

Does that make it so? No.

SAI_Peregrinus2y ago

NIST SP 800-63B is informative, not normative. It codifies existing industry-standard best-practice, but is not in itself law. However, not following best-practices may be argued as negligence if it leads to a breach or decrease in shareholder value.

internet1010102y ago

Internal password resets are a bad thing. It has its place in document sharing/collaboration platforms not connected to AD as an additional layer of revoking access when people leave a company.

j / k navigate · click thread line to collapse

0 comments

ixwt2y ago

The company I work for had a ransomware issue, so they got more zealous about security.

b1122y ago

If your company is not following the NIST recommendation, they are incompetent, and will be held liable in case of a breach

This is a stretch. Liable? Please show the case law, or the legislation.

(My statement has no relevance to the validity of NIST's recommendations)

bluGill2y ago

Not directly. However NIST is admissible in court and so if someone sues there is now evidence that they should have known better.

b1122y ago

Anything is admissible in court, the judge merely has to allow it.

There are 1000s of such organizations, and many conflict with each other.

My point is, it's inaccurate to say you are liable for not following NIST. I could easily say you could be liable, for not following me.

Does that make it so? No.

SAI_Peregrinus2y ago

internet1010102y ago

Internal password resets are a bad thing. It has its place in document sharing/collaboration platforms not connected to AD as an additional layer of revoking access when people leave a company.

j / k navigate · click thread line to collapse