One reason not covered here is a lot of companies still contractually require their software services vendors to follow old, outdated password rules that reflect Burr’s old password requirements. This includes password complexity rules and forcing regular password changes on employees. The companies wrote a bunch of security requirements a few years ago but no one is really responsible for making sure those requirements stay modern, for example removing password requirements and instead requiring webauthn instead. So what was supposed to be something that made vendors do the right thing with security has now become something that makes these companies unable to adapt to new security theories and practices.
No comments yet.