←back to thread

I read the federal government’s Zero-Trust Memo so you don’t have to

(www.bastionzero.com)
656 points EthanHeilman | 1 comments | 27 Jan 22 15:06 UTC | HN request time: 0.245s | source
Show context
paganel ◴[27 Jan 22 18:16 UTC] No.30104004[source]
> Do not give long-lived credentials to your users.

This screams "we'll use more post-it notes for our passwords compared to before", or maybe the real world to which this memo is addressed is different compared to the real (work-related) world I know.

replies(4): >>30104332 #>>30104631 #>>30104886 #>>30123541 #
1. Godel_unicode ◴[27 Jan 22 19:18 UTC] No.30104886[source]
This was a very unfortunate choice of words by the author, as they don't mean credentials as in the credential a user uses to initially authenticate to the system. Rather they mean authentication tokens, be they Kerberos tickets, bearer tokens, etc.

This memo in particular emphasizes the existing guidance the US government has issued around not expiring passwords. If you are a federal agency, you can have (and are in fact encouraged to have!) users with passwords that are unchanged for years.

Edit: it's worth pointing out that the memo does a great job of laying this out. I work in security, so possibly there's some curse of knowledge at play, but I found the blog post explainer to be less clear than the memo it is explaining...