You create a jumble of text for a password and 90 days later you change it. Good security practice, right? Wrong! NIST now says change your password only when you suspect it might be compromised. Entering a password doesn’t require a visit to the numeric and special characters on your keyboard. Microsoft removed password expiration from Windows 10 and Server core policy. What’s changed and why?
After attending this session, the learner will:
• understand why the old password guidance actually weakened security
• understand how to adopt the new rules yet remain compliant to the PCI DSS
• understand how memory-hard hashing better protects stored passwords
• learn how to enlist users in defending against account takeovers.
Hoyt L Kesterson II is a Senior Security Architect with Avertium. For 21 years he chaired the international standards group that created the X.509 public-key certificate. He is a co-chair of the ABA’s Information Security Committee. He is a PCI QSA and holds the CISSP and CISA certifications.
Jacques Lucas is a Senior Security Manager – Compliance and Audit at Avertium. He is the Compliance and Audit practice lead for Terra Verde. He has conducted more than seventy PCI and risk assessments. He is a PCI QSA and holds the CISSP and CISA certifications.