Changes in Password Best Practices

Crypro-Gram ^ | 10/15/2017 | Bruce Schneier

[zeugma]

NIST recently published its four-volume SP800-63-3 Digital Identity Guidelines. Among other things, it makes three important suggestions when it comes to passwords:

• Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.

• Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.

• Let people use password managers. This is how we deal with all the passwords we need.

These password rules were failed attempts to fix the user. Better we fix the security systems.

http://nvlpubs.nist.gov/nistpubs/...

Why password complexity rules are bad:
https://www.wsj.com/articles/... (link behind paywall)

Why password expiration is bad:
https://securingthehuman.sans.org/blog/2017/03/23/...

Stop trying to fix the user:
http://ieeexplore.ieee.org/document/7676198/

[Bikkuri]

Lol, I was expecting that :)
That one PW is not written down, and it is a 28 character combination of numbers, cap and lower alpha, and of course numbers :D

(PITA once a day)

[Bikkuri]

oops, replace one of the ‘numbers’ with punctuation marks ;^)

[Family Guy]

Why is there a penguin on the helipad?

What helipad? :)

[pigsmith]

Then there are those with a grid of thumbnail pictures: "Click all pictures showing a car" and as they are clicked another one pops up somewhere else.

[Swordmaker]

Yeah, I remember early in the internet when I had multiple email accounts and they required security questions, which I also found way too personal, I would purposely use bogus answers whicch only I would know, but after say 10 years and not using certain email accounts regularly, I had to abandon a few accounts for not knowing certain answers as I never wrote them down. Questions like mother’s maiden name or first pet or first school attended, I would make up bogus names and just try to commit to memory but they would always be fictitious.

Blue, the key to these security questions is, first, they don’t have to be responsive to the question at all, and second, they usually don’t have to be different. So be consistent on every website that asks security questions and you’ll never forget the answers. Finally, for security of your data, they should never be truthful. For example:

• Any question requiring a person’s or pet’s name answer "Einstein" (or your own choice of name)
  • "Who was your favorite elementary school teacher?" Answer: Einstein
  • "Who is your favorite movie star?" Answer: Einstein
  • "What was your father’s middle name?" Answer: Einstein
• For any place name, use a fictitious location answer like "Atlantis" (or another equally fictitious locale you won’t forget)
  • "Where did you meet your spouse?" Answer: Atlantis
  • "On what street did you grow up?" Answer: Atlantis
  • "Where did you go on your favorite vacation?" Answer: Atlantis
• All schools attended should be entirely fictitious and not related to you, and ALWAYS the same school, regardless of grade school, high school, or college. "Hogwarts" "Hardknocks" "DirtyTricks" "Joesbar" . . . I’ve Always been partial to the Sam Houston Institute of Technology. Their cheerleaders had some great cheers. . . "Let’s hear it for good old SHI. . . "well, you get the idea. . . etc.
• For favorite sports team, make one up. . . One you will remember. "Chicago Pandas" or "LA Sheep" or "SF Midgets"
• For favorite movie or TV show, pick something really off the wall that isn’t either a movie or a TV show, such as "Icebergs" or "Rare Steak"
• For questions that ask a month something occurred in, pick one and be consistent for all such questions. . .

As long as you ALWAYS USE THE SAME CONSISTENTLY FALSE ANSWERS for every security questions on every site that uses them regardless of the actual specifics of the questions, you,ll never forget them, never wonder if you typed upper or lower case, and always get access using them, and most importantly no crook can get into your data by researching you to learn what your answers should be.

[fulltlt]

Prying eyes could see a crypto dongle device or security card just the same as prying eyes looking at a cell phone.

[fulltlt]

I read the article. However I did not read all 4 volumes of NIST.SP.800.63b. I was hoping you could cut and paste what you referenced since you obviously did read all 4 volumes.

[AustinBill]

More things we knew 40 years ago. Glad to see the bureaucracy catching up to common sense.

[zeugma]

I keep all of mine in a PW encrypted .7z file.

I'd strongly recommend Password Safe. It is a great program for keeping track of passwords, (or any data like that) It uses strong encryption on the file. I use a Linux version of that called "keepass2". My strongest password is used there, since it is a big secret that protects many more.

[AppyPappy]

“Stop it with the annoying password complexity rules. They make passwords harder to remember. “

Not true. Your password should be based on something you remember like your address or phone number when you were a child.
Example : Fone919-275-7334
or Lincoln_Road_917

[AppyPappy]

That works until you forget the password to KeyPass or until KeyPass isn’t available.

[Mr Rogers]

My home list of passwords includes my home list of security questions, since my answers are fake. But with passwords for a hundred websites...I write them down.

There are government websites I use a couple of times a year. The password requirements turn them into a ‘one use and done’ scenario.

For a while, I worked at a place that assigned us passwords, 16 characters, and changed them every 2 weeks. They gave up when they realized EVERY employee kept the password written on their desk.

[zeugma]

That works until you forget the password to KeyPass or until KeyPass isn’t available.

I'm not sure why keypass wouldn't be available. There are versions for linux, windows, osx, android, and IOS.

As for forgetting the password being a problem, the post I was responding to mentioned they were using an encrypted 7zip file. Same issue would apply. Also, there are known attacks against the crypto used by 7zip. Better off using PGP or a program with known built-in crypto. Keepass/PasswordSafe can use 3-des, AES, blowfish or twofish, all of which are reasonably strong for any personal use.

As an aside, in the past I've seen folks bitching that you shouldn't let your browser store your passwords. That's true to an extent as not all browsers are created equal. Sometime last year I read a paper on an analysis browser password implementation. Firefox's password encryption implementation seemed to be well designed and implemented, if you choose a good master passphrase. IE, not so much, but then, we don't generally expect actual security from Microsoft products. If I recall correctly, Chrome had some issues as well, though it was generally better than IE.

[zeugma]

For a while, I worked at a place that assigned us passwords, 16 characters, and changed them every 2 weeks. They gave up when they realized EVERY employee kept the password written on their desk.

OMG! Two weeks???? I've never worked any place that stupid before. Thank God. 30 days was the worst for me, and they eventually gave up and went to 60, which is still way too often.

[AppyPappy]

“I’m not sure why keypass wouldn’t be available.”

Because you are using a different computer. Or your hard drive fails. Or KeyPass gets PWN3D.

We had a guy at work get hit with an Encryption Blackmail. His backups were too old and he used KeyPass for everything. It was a mess.
I keep mine in a MySQL database that gets exported and backed up.

[zeugma]

Because you are using a different computer. Or your hard drive fails. Or KeyPass gets PWN3D.

That's why you have backups.

We had a guy at work get hit with an Encryption Blackmail. His backups were too old and he used KeyPass for everything. It was a mess.

Sounds self-inflicted to me. If your backups are old, what's the point of them. Daily backups with regular offsite rotations will protect you from just about anything.

I keep mine in a MySQL database that gets exported and backed up.

Exported as what? Plain text? keepass is a database as well, but the DB itself is encrypted. If your data is lying around in plain text, or even as an unencrypted record in a DB, it can be read.

[AppyPappy]

Backups??? No one does those. :)

7-Zip-encrypted. The least of my worries. If someone breaks into that machine, I have much worse problems than someone finding an encrypted file that looks like garbage.

We were at a meeting the other day and some guy tried to demo a system but didn’t realize the computer at the client didn’t have his Keypass on it. The company didn’t allow outside computer connections to the network so he didn’t bring a laptop.
Being a programmer, I am not comfortable relying on technology.

[Svartalfiar]

Everyone here has some good ideas and stories about remembering passwords and password pain, but I’ve found an easy way to do it. For most sites, I only login every so often, so I go for two or three attempts, then just reset my password. Works pretty consistently!

[Bikkuri]

Thank you for the info... I’ll look up keepass2 (hopefully available for KDE ;^))

[zeugma]

Yup. Works well with KDE. That’s my preferred window manager.