Hoyt L Kesterson II of Terra Verde Services

Can we make passwords stronger yet easier to remember than those typically created to satisfy compliance requirements? Why do some restrictions on password composition, e.g. a complexity requirement mandating a password must contain a letter and a number—actually make passwords weaker and easier to crack. The top three takeaways from this presentation are:

• Why passwords are not doing the job.


• How does one describe a compensating control to an auditor to prove the implemented method is stronger than recommended approaches?


• What other artifacts—e.g. masking, forced periodic prophylactic password changes—of the recommended approach should be revisited?

Biography:

Hoyt L Kesterson II is a senior security architect with Terra Verde Services. He’s been doing security for a really long time. He’s a CISSP, a QSA, a testifying expert, and a co-chair of the American Bar Association Electronic Discovery and Digital Evidence committee. He’s a frequent presenter at the RSA Security Conference.