[Info-vax] Enhanced Password Management
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Wed Mar 20 17:42:43 EDT 2019
On 2019-03-20 21:09:22 +0000, dgordonatvsi at gmail.com said:
> On Wednesday, March 20, 2019 at 4:55:01 PM UTC-4, Stephen Hoffman wrote:
>
>> And for similar reasons, this divergence from current recommendations
>> should be referenced in the VSI documentation.
>
> Supposedly there were customers who couldn't move without checking a
> particular set of DoD boxes. Until they agree with NIST, the reference
> in the doc was the best that I could do.
Yes, I've worked at a startup, and can certainly infer what might be
happening here.
This doc doesn't indicate what NIST states. The cited text completely
skates past that "minor" detail, too.
Y'all are the security experts. Have current opinions and have current
recommendations and have current app development practices where it
matters. Guiding folks that are following old and questionable
practices—how to upgrade security—somehow isn't a pillar of building
and selling "the most secure operating system on the planet"?
Sure, let those folks that need to tick those boxes, but make them work at it.
For the rest of the folks, explicitly discourage the use of this new
feature. Because if you don't, then some folks will see and enable and
use this. Suggest the newer and better practices. Enable adapting and
adopting and using these and other newer practices, too. Adding
multi-factor authentication support, for instance. 2FA/MFA will look
better in the release marketing materials, as compared with
highlighting a questionable security feature.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list