Source URL: https://www.theregister.com/2024/09/23/cyberpower_password_changes/
Source: The Register
Title: UPS supplier’s password policy flip-flops from unlimited, to 32, then 64 characters
Feedly Summary: That ‘third party’ person sure is responsible for a lot of IT blunders, eh?
A major IT hardware manufacturer is correcting a recent security update after customers complained of a password character limit being introduced when there previously wasn’t one.…
AI Summary and Description: Yes
Summary: A major IT hardware manufacturer, CyberPower Systems, is addressing customer concerns regarding a new password character limit introduced in a recent security update. Initially set to 32 characters, the limit will now be extended to 64 characters after feedback from users. This incident highlights the complexities and contradictions involved in password security practices, especially in the context of industry guidelines.
Detailed Description:
The recent situation with CyberPower Systems provides an insightful case study into the evolving landscape of password security and its implications for organizations working with sensitive data.
– **Initial Password Update Issue**:
– A character limit of 32 was introduced for passwords in the PowerPanel Cloud app due to a third-party security auditor’s recommendation.
– This change led to significant customer backlash, especially as users with longer existing passwords were unable to authenticate.
– **Revised Decision**:
– Following customer complaints, CyberPower decided to extend the maximum password length to 64 characters, aligning with industry recommendations and enhancing security parameters.
– **Expert Insights**:
– The incident has raised questions about the decision-making process behind security updates and the importance of customer-centric approaches.
– CyberPower clarified that no passwords were being truncated, dispelling concerns about potential insecure practices such as storing passwords in plain text.
– **Industry Standards**:
– Multiple industry guidelines (NIST, OWASP, NCSC, and CISA) advocate for longer passwords and recommend against having hard limits on password lengths.
– The guidance emphasizes safe password practices, promoting the use of multi-factor authentication (MFA) and single sign-on (SSO) solutions in conjunction with longer passwords.
– **Practical Implications for Security and Compliance**:
– Organizations need to critically evaluate password policies and security updates to ensure they strike a balance between security and user accessibility.
– Increased awareness of password security practices can lead to better compliance with regulatory frameworks and industry best practices.
– The situation underscores the importance of communication and transparency in security practices and policies, as this can greatly impact user trust and overall security posture.
Despite a seemingly simple security update, this scenario illustrates the broader complexities associated with password management and highlights the ongoing need for alignment with established security standards.