September 23, 2024 at 08:09AM
A major IT hardware manufacturer faced backlash over a recent security update imposing a 32-character limit on passwords. The company, CyberPower Systems, responded to customer complaints by doubling the limit to 64 characters. The change, initiated by a third-party auditor’s recommendation, will be implemented within two weeks. Experts debate the efficacy of password length limits, while national cyber agencies emphasize MFA and SSO solutions over stringent password complexity requirements.
Key takeaways from the meeting notes are as follows:
– A major IT hardware manufacturer is addressing a recent security update involving a password character limit after customer complaints.
– CyberPower Systems, a seller of UPS and surge protectors, confirmed that the character limit will be doubled from 32 to 64 following customer pushback.
– The change was discovered by a customer, leading to questions from the infosec community.
– The company stated that a third-party security auditor recommended the limit on password length, which was not previously in place.
– It was revealed that longer passwords continued to work for some customers, and there were discussions around the security implications of password length.
– Both NIST and OWASP provide guidance on password length, with recommendations for at least 64 characters and discouragement of artificial caps and complex requirements.
– National cyber agencies such as the UK’s NCSC and the US’s CISA also advocate for longer passwords and multi-factor authentication, while discouraging artificial length limits and default credentials.
Overall, the discussion highlighted the importance of password length and security standards advocated by national cyber agencies.