Israel cyber chief's 'pants' analogy for password security deemed, well, 'pants'
Changed often, never shared? Prevailing wisdom suggests otherwise
Israel's newly appointed cyber chief has raised eyebrows by offering questionable password advice during a high-profile presentation.
Yigal Unna, Director General, Israel National Cyber Directorate, joked that passwords should be treated like underpants: changed often and never shared. His point was contained in a slide delivered towards the end of a keynote presentation at the Israel Cyber Week main plenary on 20 June.
The advice goes against the prevailing wisdom in security circles, which leans towards using a password manager alongside a complex, unique password. If users are told to change their passwords often, they are likely to use variants or something with the same root – making their passwords more easily crackable.
Per Thorsheim, founder of PasswordsCon conference, commented: "Research has shown that forced & regular change decreases security. They should check out @CESG_HMG, @CyLab @lorrietweet & read @usnistgov SP800-63B. Pretty sure password / OWASP friends in Israel may chime in with support as well."
Schneier warns of 'perfect storm': Tech is becoming autonomous, and security is garbageREAD MORE
Robert Pritchard, a former UK.gov cybersecurity consultant turned security trainer, noted that it wasn't only Unna who departed from orthodoxy. "I still see resistance to the no requirement to change passwords for no reason message, often from security people."
Israel Cyber Week, hosted by Tel Aviv University, brought cybersecurity heavyweights from academia and business together with infosec luminaries, such as Bruce Schneier and Chris Roberts, and government representatives. The UK delegation was led by Ciaran Martin, chief exec of the National Cyber Security Center.
Israeli prime minister Benjamin Netanyahu dropped in for a speech and a photo after Unna. During his presentation, Netanyahu included a fsociety-style "audience, your bank accounts have all been hacked" video segment (below, skip to 2:00) as a joke in his presentation, during which he bigged up the country's cybersecurity sector.
It was a slick video well delivered, but it did make Mr Robot suddenly feel a little less edgy. ®
"Pants" means "underwear", not "trousers", in Britain. In UK slang, it also means "rubbish", as in "bad".
Updated to add
An Israeli government spin doctor has been in touch to say we got the wrong end of stick and Yigal Unna is not an advocate of frequent passwords changes.
"[In] the full presentation, the Director General suggested NOT to follow the 'pants' advise, but to take example of the attractive delivery method that attracted the attention of people... It was part of the speech dealing with the human factor and its importance in the overall cybersecurity effort."
Sponsored: Becoming a Pragmatic Security Leader