Posted on 10/15/2017 3:16:37 PM PDT by zeugma
NIST recently published its four-volume SP800-63-3 Digital Identity Guidelines. Among other things, it makes three important suggestions when it comes to passwords:
Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.
Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.
Let people use password managers. This is how we deal with all the passwords we need.
These password rules were failed attempts to fix the user. Better we fix the security systems.
http://nvlpubs.nist.gov/nistpubs/...
Why password complexity rules are bad:
https://www.wsj.com/articles/... (link behind paywall)
Why password expiration is bad:
https://securingthehuman.sans.org/blog/2017/03/23/...
Stop trying to fix the user:
http://ieeexplore.ieee.org/document/7676198/
“Further, I’d say corporations would do better to have a crack program continuously on their password database. If they manage to crack someone’s pass, they can force a password change.”
Absolutely. Cyber security assessments are definitely a best practice. Defeating passwords should be part of that continuous assessment.
1) now passwords have to be usually longer than 8 characters.
2) now passwords need at least a capital letter
3) a lot of passwords now need a "special character" like #$%^^& etc.
4) all passwords now need a number
5) you cannot re-use older passwords if you forget the new one and reset it because of all these stupid new rules...
I still like my old passwords that pre-dated all of these stupid rules. One caveat is, if I forgot them, I'd have to reset it and would not be able to use them ever again. Hell, I still have passwords less than 6 digits with no number and no it's not admin lol. Funny thing is, these outdated passwords are probably more secure now, since no one would expect such a short password with no number, since this hasn't been a standard for over 10 years now.
Other pet peeves regarding passwords are the stupid CAPTCHA security protocol where you need to type barely readable letters that are twisted into where you have to wonder if it is a lower case g or a 9 or a capital W or two v's.
Lastly is another stupid security check (and this is even if you are logged in with a correct password) is a picture that is cut into several smaller squares and you need to click on all boxes that show store fronts, or street signs. Well some will show a street sign but the street sign pole is in other boxes and still not sure if the pole is considered the street sign or just the sign part itself. Then to make it worse this may continue for 3 or 4 different pictures before you can proceed.
Now recently, they even have a newer spin on CAPTCHA, where it displays several small pictures within a grid, and wants you to click on all pictures that show for example, water. The images disappear then reappear with new images and this can go on for minutes. What a PITA they have made this.
Now more and more they simply send a code to your cell phone and you enter the code.
Ping!
I had a roommate in college that was a Linguistics major. He created a language for a role-playing game that I still have a copy of. It is basically a replacement code for English words that replaces letters with difficult to pronounce syllables or sounds. An effort was made to make the words longer and difficult to say. The result is that the English name Steven (Not my name) comes out as Yupechezumdat.
I just translate my name into this fake language. So my password is my name.
Actually with most current password rules you'd need at least a capital letter in there though. I see you did add a special character as well as a number so you have that covered lol.
p@ssw0rD would work although most financial websites need 10-12 characters as a minimum so that still might not work...
One site forced frequent password changes.
Naturally I just included a number in the password that could be incremented.
Most passwords only need to be like door locks- safe against basically honest people.
I just did this today for a car forum. I clicked “forgot my password” then it emailed me a link to click on to reset my password. I go to email and click on link then it goes to website and says “we just sent you a link to reset your password” This extra step is retarded as it used to just give you a password and then you go to site to change password then you’re done. I keep forgetting my password to some forums because of these new “special characters” or “10-12 character length” rules. I’ll probably forget it again next time I go to the site and I purposely never write it down to leave a paper trail. Then it’s a PITA once I see what my password was I cant re-use it.
I was joking. That was supposedly John Podesta’s password.
No one can remember the passwords so they write them down. When security is breached, hacked, stolen wallet, laptop or phone, all hell breaks loose. Passwords should be simple, unique to the user and all the same for the same level of security. All bank and investment - password one. all health and medications - password two. All chat rooms and forums - password three.
That would simplify things a bit.
My password is:
(All spaces! No one will ever figure that out.)
You left off the last half of the sentence in your quote.
Here’s the whole sentence:
“I’d say that they’d be better off with a 2-factor scheme, like something that sends a one-time code to your phone.”
So in this case the cell phone is something you have.
What 2 factor schemes does NIST say are unreliable?
Do you have a citation for your claim that NIST dropped
2 factor auth from their spec?
I truly detest those 'wack-a-mole' things.
I have said for a decade that password complexity only leads to passwords being written on sticky notes and pasted to the monitor.
I use Scripture references — Like John3:16. That isn’t the reference I use, but that’s the idea. And I use two separate references for the one passcode.
“So in this case the cell phone is something you have.”
No, a cell phone provides something you know because it is not guaranteed to be secure from prying eyes.
A crypto dongle device is something you have that no one else can have at the same time. A security card is something that you have that no one else can have at the same time.
Search for and read: NIST.SP.800-63b. Digital Identity Guidelines.
It’s all in there. The article gave the reference if you would just read the article before commenting.
Eventually, one has so many complex passwords you have to start writing them down and keeping them by the computer.
I suppose it is better than P@55w0rd. Which meets the old standards for complexity.
I had a login for my account with one of the big telecom companies a few year ago. They didn’t even allow special characters.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.