Posted on 10/15/2017 3:16:37 PM PDT by zeugma
NIST recently published its four-volume SP800-63-3 Digital Identity Guidelines. Among other things, it makes three important suggestions when it comes to passwords:
Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.
Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.
Let people use password managers. This is how we deal with all the passwords we need.
These password rules were failed attempts to fix the user. Better we fix the security systems.
http://nvlpubs.nist.gov/nistpubs/...
Why password complexity rules are bad:
https://www.wsj.com/articles/... (link behind paywall)
Why password expiration is bad:
https://securingthehuman.sans.org/blog/2017/03/23/...
Stop trying to fix the user:
http://ieeexplore.ieee.org/document/7676198/
I'd say that they'd be better off with a 2-factor scheme, like something that sends a one-time code to your phone. Unfortunately, given the number of times I end up having to enter a password every day, that would really, really suck.
I just use admin:admin for everything. For routers and stuff like that, never change the defaults, so that in case you forget them they can always be looked up on the internet.
One of my recent PW’s assigned to me; *3Ga^=qrT_`~491011zQr9-A
>>Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in.<<
Worse, people put the on yellow sticky notes so all you have to do is look around their cubicle or office desk to find the passwords.
looks like one of mine
I change my passwords about every 6 weeks or so.
I also alter the number of characters I use between old and new pw’s for the same app.
Probably don’t need to do that, but it is an ingrained habit now.
Very intuitive. Just write it on a Post It note and stick it under your monitor. Most hacks are from outside the company.
Guess it is better than Password
I do a certain pattern on my keyboard. When it’s time to change I simply shift and use the same pattern.
And if I forget, I always know it will some derivation of the pattern.
funny. We have an unproductive employee who left her laptop at the office.
We decided to repurpose it to another employee.
So, I opened her desk and sure enough she had a post it with all her passwords.
Use “p@ssw0rd” for your password. No one would ever guess...
Just use a long sentence, like “Mary had a little lamb”, but change one aspect, ie. “Andrew had a little lamb”,
and type it as one word,
“Andrewhadalittlelamb”.
Easy to remember, and more than enough to be safe.
DonaldTrumpIsTheGodEmperor
or
Re-ElectDonaldTrumpIn2020
No liberal would willingly type those phrases even if it meant access to millions...
I’ve always used dead pets and old phone numbers.
Use numbers to make it harder.
1234
“I’d say that they’d be better off with a 2-factor scheme”
That was also dropped from the NIST spec.
The insecurity of that scheme made it less reliable.
There are only three things that make for security: What you know, are, and have.
Two factor was just another ‘what you know’. Each insecurity of the ‘what you know’ compounds the problem; it doesn’t increase the strength of each ‘know’.
Two factor that includes ‘what you are’ or ‘have’ does help, but civilians rarely have the technical ability to add an ‘are’ or ‘have’.
I sometimes go i into “Special Fonts” to create passwords. If someone wants to spend the time going thru fish, airplane, math symbols, good luck!
1 2 3 4 5
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.