Posted on 10/15/2017 3:16:37 PM PDT by zeugma
NIST recently published its four-volume SP800-63-3 Digital Identity Guidelines. Among other things, it makes three important suggestions when it comes to passwords:
Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.
Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.
Let people use password managers. This is how we deal with all the passwords we need.
These password rules were failed attempts to fix the user. Better we fix the security systems.
http://nvlpubs.nist.gov/nistpubs/...
Why password complexity rules are bad:
https://www.wsj.com/articles/... (link behind paywall)
Why password expiration is bad:
https://securingthehuman.sans.org/blog/2017/03/23/...
Stop trying to fix the user:
http://ieeexplore.ieee.org/document/7676198/
That would be bitch to type on a smartphone.
Two factor was just another ‘what you know’. Each insecurity of the ‘what you know’ compounds the problem; it doesn’t increase the strength of each ‘know’.
Actually, this was exactly what the two-factor was attempting to solve. What you know is your password. What you have is your phone. As I said before, works well for some stuff. If it's something you have to do 10 times a day, it sucks. When I boot up my crappy laptop, I have to enter my password about 5 times to get everything set up for the day's work. Fortunately, the only 2fa I have is the vpn connection.
----------------
Yep, that one would take 67.75 billion centuries of high speed random guesses to crack according to Steve Gibson ("Spinrite" disk recovery author & a security expert)...he had the same idea as most of this article years ago...his interesting "Password Haystack" site is here: https://www.grc.com/haystack.htm
Dude, I could have written everything you just said.
Regarding the 1,2,3,4,5 items. It freaking drives me crazy. Which is a better password? "Myyardisfilledwithacorns", or "0DrycticJu!"? I've taken to actively subverting the entire scheme, by choosing passwords that actually fit their requirements, yet are ridiculously simple. I recently had "Sh0p@home" as my primary password. It passed their 'complexity' test, yet I consider it to be a horrid password that I would never use on anything I really wanted to secure. I would say the first is better if for nothing else, that it is easily remembered, is long, and with a little practice, easy to type very quickly.
Also agreed about the captcha stuff. Being someone who is fairly color-blind, I sometimes have a really hard time discerning the letters/numbers.
Then, there is the stupid "security question" thing. Frankly, I think the questions they ask are none of their freaking business, and hackers have used these things to subvert the accounts of some famous folks, because the vast majority of the questions were a part of publicly available information. To subvert that, I'd used schemes like using an md5 hash of the answer instead of the answer itself, but that really gets to be a bit of a pain as well.
Mine is frequently ********
Just write it on a Post It note and stick it under your monitor.
= = =
After our secretary was let go before her 30 day trial was up, I turned over her keyboard:
ObeySubmit7 was her password, written there.
We were not her first try-out.
I’ve been told that in ancient days, you could have had a backspace in your password (probably some kind of UNIX enhancement).
Yeah, I remember early in the internet when I had multiple email accounts and they required security questions, which I also found way too personal, I would purposely use bogus answers whicch only I would know, but after say 10 years and not using certain email accounts regularly, I had to abandon a few accounts for not knowing certain answers as I never wrote them down. Questions like mother’s maiden name or first pet or first school attended, I would make up bogus names and just try to commit to memory but they would always be fictitious.
I have said for a decade that password complexity only leads to passwords being written on sticky notes and pasted to the monitor.
= = =
I used to bury them in the phone list I had written on the wall. Used a lot of numbers. It wasn’t just one of the numbers, but one of them with an extra text or special character.
My theory was that the mandatory password update was to weed out older employees.
Every 2 months, you have to get a new password, each one longer and more complex than the last one. Finally you can’t remember it. After attempting 3 tries, you get a dialog box which offers you retirement, just click to accept.
I used Tolkien to develop my secret phrase. It’s a Dwarvish expression translated into Elvish. Anyone nerdy enough to get that is welcome to share my Wi-Fi.
I had trouble with those security questions.
If you’re born in, for example, Chicago Illinois you have to remember HOW you entered it.
It’s several months later so I couldn’t remember if I had typed, “Chicago” “Chicago IL” “Chicago, IL” or “Chicago, Illinois” So got booted.
This.
I use a single word and the date of the last change.
Brute Force Cracking might get that pretty quick...
I know... No matter what PW I type in, it always changes to that. It must be a conspiracy!
{snickering ;^D}
Use Control Codes. Not sure if you still can, I would forget what I put in if I did use CC.. lol
I keep all of mine in a PW encrypted .7z file.
I would have written Shy Town.
Dont forget to write that PW for the PW encrypted file on a post-IT note. ;p)
I know. After a few rounds of CAPTCHA, it's more like you're playing a pointless game like Tetris than signing in to your account. I wonder over the millions of users how many hours of productivity this wastes on a global level having to jump through hoops and try to guess a distorted image or if random colored curves are actual letters or numbers or not.
wPIU9cIWH1S
That's correct, rightttttttttt????????
I waste all my time at work reading Free Republic. Diddling with Capcha’s is an insignificant part of the productivity I eschew for knowledge.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.