Password complexity and authentication has always been a subject of contention both for users and system administrators. Many assume that forcing users to create more complex passwords, and changing them frequently, will lead to greater system safety - in theory this may be true. Given human nature, things rarely go as planned and research has shown that forcing users to comply with these additional requirements has actually had a detrimental effect on system security.
To chat more about this subject, we sat down with some of our Risk, Security, and Privacy team to answer some important questions about security and passwords today.
1. You both do a lot of work providing advisory services to our clients. In a couple of weeks you are speaking at the PCI Community meetings, both in Las Vegas and then in London. Can you help us understand what’s wrong with the way most organizations handle authentication in payment systems?
2. So if we are still having password security issues, how do we get users to create passwords that are hacker-proof but easy to remember? Is it even possible?
3. So later this month you both are speaking at the PCI Community meetings on this topic. I know one of the things you are passionate about is bringing some of the NIST best practices into the PCI approach. Can you shed a bit of light on how NIST and PCI compare to each other and other standards when it comes to password complexity requirements?
PCI Security Standards Council
North America Community Meeting
Europe Community Meeting