Geez it's nice to be home 😊 It's nice to live in a home that makes you feel that way when returning from a place as beautiful as Bali 😊 This week's video is dominated by the whole discussion around this tweet:
I love that part of the Microsoft Security Score for Identity in Azure improves your score if you *don't* enforce password rotation, what a sign of the times! Who out there still works somewhere that forces rotation (because "reasons")? pic.twitter.com/a2yQQvNRpa
— Troy Hunt (@troyhunt) October 6, 2022
I love this for the way it throws traditional logic out the window, logic we all knew sucked and I suspect the massive engagement the tweet drove is due to precisely that: Microsoft giving us all a good reason to whinge about a sucky practice that still prevails so broadly. So... I hope you enjoy listening to just how bad enforced password rotation sucks 😊
References
- We've known that mandatory password rotation has passed its used by date for years now (that blog post was actually the genesis for Pwned Passwords)
- The Bhinneka breach went into HIBP (Indonesian e-commerce service with 83% of pwnees being repeat visitors to HIBP)
- The Wakanim breach also went in, a pretty fresh one from 6 weeks ago (actually thought this was quite under-reported for an incident impacting 6.7M people)
- Sponsored by: Kolide can help you nail third-party audits and internal compliance goals with endpoint security for your entire fleet. Learn more here.