I'm not the first person to be saying this, but the days of replying "JFGI" ("just fucking google it") to someone asking what you assume is a question easily answered by search engines – are over.
I really, really hate what the web has become.
(Jinja is a Python-based template language.)
So what kind of policy framework do I have at my org? Goal is AAL2 per NIST 800-63B. Keep in mind, at least for the next decade or so still, passwords are not going anywhere - they are the last line of authentication while the world transitions to #passwordless
Encrypt everything, everywhere, all the time VPN tunnels everywhere PW polciy that enforces a minimum of 13-complex characters for passwords (passphrases are evangelized heavily) + mandatory MFA via an Authnticator app + 365-day rotation policy (unless someone phishes their credential or it comes up on a #darkweb monitor) + 30-day token expiration - we do have filtering to prevent anyone reusing old password or common passwords (no, I don't pay for it, you can integrate with AD directly with some clever #powershell, #jfgi. For our admin accounts, we require #passphrases of at least 4 words (7 are recommended), using the diceware method (physical, not a website). PW rotation occurs every 180-days. Tokens expire every 24-hours. Service accounts (where we cannot use auto-cycling API tokens) require a minimum 24-character very complex password or 4-word passphrase as MFA is required to be disabled. PW rotation occurs every 180-days. Awareness trainings every quarter for high-risk/high-exposure employees, annually for the rest of the company. I update my presentation facts, data, and reported metrics frequently based on OSINT, SIGINT, HUMINT, research, and constant education.
mlle-cassis
scy
Geekmaster 👽
cobra2