Changes in Password Best Practices

Crypro-Gram ^ | 10/15/2017 | Bruce Schneier

[zeugma]

NIST recently published its four-volume SP800-63-3 Digital Identity Guidelines. Among other things, it makes three important suggestions when it comes to passwords:

• Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.

• Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.

• Let people use password managers. This is how we deal with all the passwords we need.

These password rules were failed attempts to fix the user. Better we fix the security systems.

http://nvlpubs.nist.gov/nistpubs/...

Why password complexity rules are bad:
https://www.wsj.com/articles/... (link behind paywall)

Why password expiration is bad:
https://securingthehuman.sans.org/blog/2017/03/23/...

Stop trying to fix the user:
http://ieeexplore.ieee.org/document/7676198/

[zeugma]

Gotta say, I agree with him on all points. I have passwords that I use for my own personal things, such as for example, my password management program, that I haven't changed in quite a long time. Why don't I change them? First, because they are really good passphrases, that are actually quite long by password standards (30 or so characters). Second, even though they are long, because I've been using them for a while, I can type them really fast.It's freaking muscle-memory by now. Third, if I did change them, it's going to take a while to get to the same speed and accuracy.

I'd say that they'd be better off with a 2-factor scheme, like something that sends a one-time code to your phone. Unfortunately, given the number of times I end up having to enter a password every day, that would really, really suck.

[zeugma]

Further, I'd say corporations would do better to have a crack program continuously on their password database. If they manage to crack someone's pass, they can force a password change.

[glorgau]

I just use admin:admin for everything. For routers and stuff like that, never change the defaults, so that in case you forget them they can always be looked up on the internet.

[umgud]

One of my recent PW’s assigned to me; *3Ga^=qrT_`~491011zQr9-A

[freedumb2003]

>>Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in.<<

Worse, people put the on yellow sticky notes so all you have to do is look around their cubicle or office desk to find the passwords.

[PIF]

looks like one of mine

[txnativegop]

I change my passwords about every 6 weeks or so.

I also alter the number of characters I use between old and new pw’s for the same app.

Probably don’t need to do that, but it is an ingrained habit now.

[dfwgator]

[FatherofFive]

One of my recent PW’s assigned to me; *3Ga^=qrT_`~491011zQr9-A

Very intuitive. Just write it on a Post It note and stick it under your monitor. Most hacks are from outside the company.

Guess it is better than Password

[dfwgator]

I do a certain pattern on my keyboard. When it’s time to change I simply shift and use the same pattern.

And if I forget, I always know it will some derivation of the pattern.

[Vendome]

funny. We have an unproductive employee who left her laptop at the office.

We decided to repurpose it to another employee.

So, I opened her desk and sure enough she had a post it with all her passwords.

[Ken H]

Use “p@ssw0rd” for your password. No one would ever guess...

[CondorFlight]

Just use a long sentence, like “Mary had a little lamb”, but change one aspect, ie. “Andrew had a little lamb”,

and type it as one word,

“Andrewhadalittlelamb”.

Easy to remember, and more than enough to be safe.

[Vendome]

[grey_whiskers]

How about

DonaldTrumpIsTheGodEmperor

or

Re-ElectDonaldTrumpIn2020

No liberal would willingly type those phrases even if it meant access to millions...

[outofsalt]

I’ve always used dead pets and old phone numbers.

[bgill]

Use numbers to make it harder.

1234

[CodeToad]

“I’d say that they’d be better off with a 2-factor scheme”

That was also dropped from the NIST spec.

The insecurity of that scheme made it less reliable.

There are only three things that make for security: What you know, are, and have.

Two factor was just another ‘what you know’. Each insecurity of the ‘what you know’ compounds the problem; it doesn’t increase the strength of each ‘know’.

Two factor that includes ‘what you are’ or ‘have’ does help, but civilians rarely have the technical ability to add an ‘are’ or ‘have’.

[Dr. Bogus Pachysandra]

I sometimes go i into “Special Fonts” to create passwords. If someone wants to spend the time going thru fish, airplane, math symbols, good luck!

[BenLurkin]

1 2 3 4 5