TUNE IN: Kevin Mitnick is Going Down!

Kevin Mitnick and I are passionately debating the right password policy, using our decades of knowledge and real-life hacking experience.

Listen to it all go down. Register at https://event.on24.com/wcc/r/1856107/295DE6CAB72FFD67B1323DDF19759750?partnerref=SpiceRG2

Ever since the National Institute of Standards and Technology (https://www.nist.gov) submitted Special Publication 800-63 (https://pages.nist.gov/800-63-3/), Digital Identity Guidelines, for review a few years ago, the computer security world has been debating or intentionally ignoring its newest recommended password policies which run starkly contrarian to decades of previous advice. The new advice is so contrary to decades of previous advice, from the same organization, that virtually no one believes it. Certainly, almost no one is using it.

Buried among a thousand other pieces of advice, NIST now says that password policies that require long, complex, frequently changing passwords puts users and their companies at MORE risk than simply requiring shorter, non-complex, never-changing passwords.

In one corner we have Kevin Mitnick, Chief Hacking Officer of KnowBe4, Inc., and one of the world’s best and most knowledgeable hackers. He’s got tons of real-life experience where his trillion-a-second-password-cracker tool revealed the exact passwords that NIST is recommending.

In the other, you have, me, Roger A. Grimes, Knowbe4’s Data-Driven Defense Evangelist arguing that the NIST nerds have it right. While Kevin is right about NIST passwords being easier to crack, that it doesn’t change the support behind NIST’s new recommendations. I know many of the people and computer scientists who submitted the data that ended up convincing NIST to reverse their own long-standing recommendations.

Complicating the new recommendations is the fact that there’s nearly no one on NIST’s side. None of the big laws and regulations (e.g. PCI-DSS, HIPAA, SOX, NERC, etc.) have changed their long-standing password guidance. If you even tried to change your password policy to match what NIST’s data says should be your new password policy, you wouldn’t survive a single compliance audit…and the boss’ that pay your paycheck won’t approve.

So, it’s the penultimate battle of security versus compliance, and so far, to me, it looks like compliance is winning over security. Except for the looming fact that 99% of the world’s computer security experts support the old policy and think it’s more secure anyway.

It’s real-life uber hacker vs. me, a data geek, who just happens to also have 30-years of penetration testing experience…although I will readily admit I’m not as good as Kevin. But I’ve seen the data…and the data is pretty convincing. It’s pen versus the sword, and I know we should all be using the new password policy recommendations.

Kevin and I “got into it” on an internal company email thread. Perry Carpenter said he was sitting back, watching, eating popcorn. It went back and forth for days. Some “victims” got in between me and Kevin and tried to calm things down. It didn’t work. Stu, CEO of KnowBe4, loved it, and decided it’s glory had to be shared with the internet. Perry got roped in as the host and referee.

Come check it out!

For this article and other interesting information, please refer to the source.

Source: Spiceworks

Topics: Speaking Engagements, penetration testing, Chief Hacking Officer, Data-Driven Defense Evangelist, Digital Identity Guidelines, hacking, National Institute of Standards & Technology, Password Management, Roger Grimes, security, KnowBe4, compliance, Kevin Mitnick, NIST

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

6 Types of Social Engineering Attacks and How to Prevent Them

Social engineering attacks account for a massive portion of all cyber-attacks.

Read more ›

What You Get When You Invest in Social Engineering Testing with Mitnick Security

When testing your employees' social engineering readiness, your teams need simulated attacks that feel as if they’re coming from a nefarious engineer...

Read more ›

Mitnick Security: Ransomware Awareness Training

Ransomware is a type of malware that prevents accessibility to either a single computer or an entire network until a ransom is paid. This can result i..

Read more ›
tech-texture-bg