Password1, Password2, Password3 no more: Microsoft drops password expiration rec

For years, Microsoft’s baseline security policy has expired passwords after 60 days.

Password1, Password2, Password3 no more: Microsoft drops password expiration rec

For many years, Microsoft has published a security baseline configuration: a set of system policies that are a reasonable default for a typical organization. This configuration may be sufficient for some companies, and it represents a good starting point for those corporations that need something stricter. While most of the settings have been unproblematic, one particular decision has long drawn the ire of end-users and helpdesks alike: a 60-day password expiration policy that forces a password change every two months. That reality is no longer: the latest draft for the baseline configuration for Windows 10 version 1903 and Windows Server version 1903 drops this tedious requirement.

The rationale for the previous policy is that it limits the impact a stolen password can have—a stolen password will automatically become invalid after, at most, 60 days. In reality, however, password expiration tends to make systems less safe, not more, because computer users don't like picking or remembering new passwords. Instead, they'll do something like pick a simple password and then increment a number on the end of the password, making it easy to "generate" a new password whenever they're forced to.

In the early days of computing, this might have been a sensible trade-off, because cracking passwords was relatively slow. But these days, with rainbow tables, GPU acceleration, and the massive computational power of the cloud, that's no longer the case—short passwords are a liability, so any policy that makes people favor short passwords is a bad policy. It's better instead to choose a long password and, ideally, multifactor authentication, supplementing the password with a time-based code or something similar.

Read 3 remaining paragraphs | Comments

Google Releases Security Update for Chrome

Original release date: April 23, 2019

Google has released Chrome version 74.0.3729.108 for Windows, Mac, and Linux. This version addresses multiple vulnerabilities that an attacker could exploit to take control of an affected system.The Cybersec…

Original release date: April 23, 2019

Google has released Chrome version 74.0.3729.108 for Windows, Mac, and Linux. This version addresses multiple vulnerabilities that an attacker could exploit to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Chrome Release and apply the necessary update.


This product is provided subject to this Notification and this Privacy & Use policy.


Dutch NCSC Releases Updated TLS Guidelines

Original release date: April 23, 2019

The Dutch National Cyber Security Centre (NCSC) has published an update to their Transport Layer Security (TLS) protocol guidelines, which aim to improve TLS configuration security.The Cybersecurity and Infr…

Original release date: April 23, 2019

The Dutch National Cyber Security Centre (NCSC) has published an update to their Transport Layer Security (TLS) protocol guidelines, which aim to improve TLS configuration security.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Dutch NCSC IT Security Guidelines for Transport Layer Security.


This product is provided subject to this Notification and this Privacy & Use policy.


Latest Windows patch having problems with a growing number of anti-virus software

A range of fixes and workarounds have been published.

This is a colorized transmission electron micrograph (TEM) of an Ebola virus virion. (Cynthia Goldsmith)

Enlarge / This is a colorized transmission electron micrograph (TEM) of an Ebola virus virion. (Cynthia Goldsmith) (credit: CDC)

The most recent Windows patch, released April 9, seems to have done something (still to be determined) that's causing problems with anti-malware software. Over the last few days, Microsoft has been adding more and more anti-virus scanners to its list of known issues. At the time of writing, client-side anti-virus software from Sophos, Avira, ArcaBit, Avast, and most recently McAfee are all showing problems with the patch.

Affected machines seem to be fine until an attempt is made to log in, at which point the system grinds to a halt. It's not immediately clear if systems are freezing altogether, or just going extraordinarily slowly. Some users have reported that they can log in, but the process takes ten or more hours. Logging in to Windows 7, 8.1, Server 2008 R2, Server 2012, and Server 2012 R2 are all affected.

Booting into safe mode is unaffected, and the current advice is to use this to disable the anti-virus applications and allow the machines to boot normally. Sophos additionally reports that adding the anti-virus software's own directory to the list of excluded locations also serves as a fix, which is a little strange.

Read 3 remaining paragraphs | Comments