←back to thread

I read the federal government’s Zero-Trust Memo so you don’t have to

(www.bastionzero.com)
656 points EthanHeilman | 4 comments | 27 Jan 22 15:06 UTC | HN request time: 0.001s | source
1. ineedasername ◴[27 Jan 22 22:42 UTC] No.30108038[source]
>It tells us to stop rotating passwords

Finally! Maybe the places I've worked will finally listen. But I stopped reading TFA to praise this, so back to TFA.

replies(1): >>30108109 #
2. 0xffff2 ◴[27 Jan 22 22:48 UTC] No.30108109[source]
NIST has made this recommendation for years. Sadly, I work for another branch of the Federal government and despite the NIST guidance I still have to rotate my password every 60 days. (Actually, the starts sending me daily emails warning me 15 days out, and the date is based on last change, so practically it's more like 45 days.)
replies(1): >>30109558 #
3. ineedasername ◴[28 Jan 22 01:20 UTC] No.30109558[source]
I know, it's been a while since rotation was considered a best practice. Yet the security team where I work will pick a random shiny new security practice and impose it on users. (I don't mind the imposition of good security, the hassle is worth it).

Just one example where I work is a prohibition against emailing certain types of documents or data to others in the company (which is mostly Word & Excel docs) Which seems reasonable, but the accepted solution is to use the built in encryption of MS Office to secure the file with a password and then email the file. And then send the password in another email. Honestly, that's supposed to be the protocol. The policy also hasn't been amended in any way to account for implementing Google docs & sheets, which can be accessed with the same credentials used for email or opened on any unattended employee's machine if they left a Gmail tab open (along with anything else in their Google drive). And regardless of any of these rules, almost no one follows them. I do-- I have to, I'm a data custodian so I can't violate the rules, but it annoys people.

replies(1): >>30110242 #
4. LilBytes ◴[28 Jan 22 03:01 UTC] No.30110242{3}[source]
This is why security teams get a bad wrap :(