Posted on 10/15/2017 3:16:37 PM PDT by zeugma
NIST recently published its four-volume SP800-63-3 Digital Identity Guidelines. Among other things, it makes three important suggestions when it comes to passwords:
Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.
Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.
Let people use password managers. This is how we deal with all the passwords we need.
These password rules were failed attempts to fix the user. Better we fix the security systems.
http://nvlpubs.nist.gov/nistpubs/...
Why password complexity rules are bad:
https://www.wsj.com/articles/... (link behind paywall)
Why password expiration is bad:
https://securingthehuman.sans.org/blog/2017/03/23/...
Stop trying to fix the user:
http://ieeexplore.ieee.org/document/7676198/
Lol, I was expecting that :)
That one PW is not written down, and it is a 28 character combination of numbers, cap and lower alpha, and of course numbers :D
(PITA once a day)
oops, replace one of the ‘numbers’ with punctuation marks ;^)
What helipad? :)
Blue, the key to these security questions is, first, they dont have to be responsive to the question at all, and second, they usually dont have to be different. So be consistent on every website that asks security questions and youll never forget the answers. Finally, for security of your data, they should never be truthful. For example:
Prying eyes could see a crypto dongle device or security card just the same as prying eyes looking at a cell phone.
I read the article. However I did not read all 4 volumes of NIST.SP.800.63b. I was hoping you could cut and paste what you referenced since you obviously did read all 4 volumes.
More things we knew 40 years ago. Glad to see the bureaucracy catching up to common sense.
I'd strongly recommend Password Safe. It is a great program for keeping track of passwords, (or any data like that) It uses strong encryption on the file. I use a Linux version of that called "keepass2". My strongest password is used there, since it is a big secret that protects many more.
“Stop it with the annoying password complexity rules. They make passwords harder to remember. “
Not true. Your password should be based on something you remember like your address or phone number when you were a child.
Example : Fone919-275-7334
or Lincoln_Road_917
That works until you forget the password to KeyPass or until KeyPass isn’t available.
My home list of passwords includes my home list of security questions, since my answers are fake. But with passwords for a hundred websites...I write them down.
There are government websites I use a couple of times a year. The password requirements turn them into a ‘one use and done’ scenario.
For a while, I worked at a place that assigned us passwords, 16 characters, and changed them every 2 weeks. They gave up when they realized EVERY employee kept the password written on their desk.
I'm not sure why keypass wouldn't be available. There are versions for linux, windows, osx, android, and IOS.
As for forgetting the password being a problem, the post I was responding to mentioned they were using an encrypted 7zip file. Same issue would apply. Also, there are known attacks against the crypto used by 7zip. Better off using PGP or a program with known built-in crypto. Keepass/PasswordSafe can use 3-des, AES, blowfish or twofish, all of which are reasonably strong for any personal use.
As an aside, in the past I've seen folks bitching that you shouldn't let your browser store your passwords. That's true to an extent as not all browsers are created equal. Sometime last year I read a paper on an analysis browser password implementation. Firefox's password encryption implementation seemed to be well designed and implemented, if you choose a good master passphrase. IE, not so much, but then, we don't generally expect actual security from Microsoft products. If I recall correctly, Chrome had some issues as well, though it was generally better than IE.
OMG! Two weeks???? I've never worked any place that stupid before. Thank God. 30 days was the worst for me, and they eventually gave up and went to 60, which is still way too often.
“I’m not sure why keypass wouldn’t be available.”
Because you are using a different computer. Or your hard drive fails. Or KeyPass gets PWN3D.
We had a guy at work get hit with an Encryption Blackmail. His backups were too old and he used KeyPass for everything. It was a mess.
I keep mine in a MySQL database that gets exported and backed up.
That's why you have backups.
We had a guy at work get hit with an Encryption Blackmail. His backups were too old and he used KeyPass for everything. It was a mess.
Sounds self-inflicted to me. If your backups are old, what's the point of them. Daily backups with regular offsite rotations will protect you from just about anything.
I keep mine in a MySQL database that gets exported and backed up.
Exported as what? Plain text? keepass is a database as well, but the DB itself is encrypted. If your data is lying around in plain text, or even as an unencrypted record in a DB, it can be read.
Backups??? No one does those. :)
7-Zip-encrypted. The least of my worries. If someone breaks into that machine, I have much worse problems than someone finding an encrypted file that looks like garbage.
We were at a meeting the other day and some guy tried to demo a system but didn’t realize the computer at the client didn’t have his Keypass on it. The company didn’t allow outside computer connections to the network so he didn’t bring a laptop.
Being a programmer, I am not comfortable relying on technology.
Everyone here has some good ideas and stories about remembering passwords and password pain, but I’ve found an easy way to do it. For most sites, I only login every so often, so I go for two or three attempts, then just reset my password. Works pretty consistently!
Thank you for the info... I’ll look up keepass2 (hopefully available for KDE ;^))
Yup. Works well with KDE. That’s my preferred window manager.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.