this post was submitted on 26 Sep 2024
13 points (100.0% liked)

Technology

59587 readers
3117 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
L4s@lemmy.world
L3s@fry.gs
L4s@fry.gs
enu@lemmy.world
13
NIST proposes barring some of the most nonsensical password rules (arstechnica.com)
submitted 1 month ago by Amicitas@lemmy.world to c/technology@lemmy.world
163 comments fedilink hide all child comments
 

Here is the text of the NIST sp800-63b Digital Identity Guidelines.

top 50 comments
sorted by: hot top controversial new old
[–] lvxferre@mander.xyz 8 points 1 month ago (65 children)

Reworded rules for clarity:

  1. Min required length must be 8 chars (obligatory), but it should be 15 chars (recommended).
  2. Max length should allow at least 64 chars.
  3. You should accept all ASCII plus space.
  4. You should accept Unicode; if doing so, you must count each code as one char.
  5. Don't demand composition rules (e.g. "u're password requires a comma! lol lmao haha" tier idiocy)
  6. Don't bug users to change passwords periodically. Only do it if there's evidence of compromise.
  7. Don't store password hints that others can guess.
  8. Don't prompt the user to use knowledge-based authentication.
  9. Don't truncate passwords for verification.

I was expecting idiotic rules screaming "bureaucratic muppets don't know what they're legislating on", but instead what I'm seeing is surprisingly sane and sensible.

[–] frezik@midwest.social 3 points 1 month ago (2 children)

NIST generally knows what they're doing. Want to overwrite a hard drive securely? NIST 800-88 has you covered. Need a competition for a new block cipher? NIST ran that and AES came out of it. Same for a new hash with SHA3.

[–] grue@lemmy.world 1 points 1 month ago

NIST generally knows what they're doing

For now, at least. Could change after Inauguration Day.

load more comments (1 replies)
[–] cybersandwich@lemmy.world 1 points 1 month ago (1 children)

I think if you do allow 8 character passwords the only stipulation is that you check it against known compromised password lists. Again, pretty reasonable.

[–] lvxferre@mander.xyz 1 points 1 month ago

That stipulation goes rather close to #5, even not being a composition rule.

I think that a better approach is to follow the recommended min length (15 chars), unless there are good reasons to lower it and you're reasonably sure that your delay between failed password attempts works flawlessly.

[–] turtle@lemm.ee 1 points 1 month ago

It's crazy that they didn't include all the "should" items in that list. If you read the entire section, there's a critical element that's missing in the list, which is that new passwords should be checked against blocklists. Otherwise, if you combine 1, 5, and 6, you end up with people using "password" as their password, and keeping that forever. Really, really poor organization on their part. I'm already fighting this at work.

load more comments (62 replies)
[–] VantaBrandon@lemmy.world 4 points 1 month ago (11 children)

How about making it illegal to block copying and pasting on website forms. I'm literally more likely to make a mistake by typing a routing number than copying and pasting it. The penalty for should be death by firing into the sun to anyone caught implementing any such stupidity.

[–] johannesvanderwhales@lemmy.world 3 points 1 month ago (6 children)

Frankly I'm mostly annoyed that my browser allows web sites to block cut and paste, ever. I am capable of making my own decisions over whether I want to cut and paste.

There are plugins that will disallow this. I think the one I use is "don't fuck with paste"

[–] priapus@sh.itjust.works 0 points 1 month ago (2 children)

Never thought to look for an extension for that. Thanks for mentioning it.

load more comments (2 replies)
load more comments (5 replies)
[–] DelightfullyDivisive@lemmy.world 0 points 1 month ago (1 children)

It takes way less Delta V to push them into solar escape velocity.

load more comments (1 replies)
[–] kalpol@lemmy.world 0 points 1 month ago

Don't forget you save lots of fuel by firing out of the solar system instead

load more comments (8 replies)
[–] umami_wasbi@lemmy.ml 1 points 1 month ago* (last edited 1 month ago) (8 children)

the document is nearly impossible to read all the way through and just as hard to understand fully

It is a boring document but it not impossible to read through, nor understand. The is what compliances officer do. I have a (useless) cybersecurity degree and reading NIST publications is part of my lecture.

load more comments (8 replies)
[–] Feelfold@lemm.ee 1 points 1 month ago (3 children)

All this 2FA, SSH, token / key stuff is garbage. Rectal vascular mapping is the only legitimate security option.

[–] DaPorkchop_@lemmy.ml 1 points 1 month ago

"Please insert your webcam."

load more comments (2 replies)
[–] xthexder@l.sw0.com 0 points 1 month ago (10 children)

Interesting that unicode support is suggested. Emoji passwords could be fun.

[–] LodeMike@lemmy.today 0 points 1 month ago (1 children)

Multiple languages.

load more comments (1 replies)
load more comments (9 replies)
[–] Madblood@lemmy.world 0 points 1 month ago (2 children)

Don’t bug users to change passwords periodically. Only do it if there’s evidence of compromise.

About damn time. I log into my company laptop with a smart card and PIN or a PIN/authenticator code, computer autoconnects to the VPN, and I'm good to go. If there's no internet available, the smart card will still get me into my computer. If I'm on my personal computer, I log in with the PIN/authenticator. This morning I tried really hard to find someplace where I had the option of entering a password and there is none, yet I have to change my password every 6 months. At least my IT department lets me use KeePass.

load more comments (2 replies)
[–] Classy@sh.itjust.works 0 points 1 month ago (2 children)

The app my work uses to show 401k, pay, request leave, etc details, uses a ridiculous webapp that's very slow, and on top of this, they nag you literally every 4 months to update your password. I used to be a good boy and memorize a new password each time. Now I just add a new letter into BitWarden and it's my new password. Apparently this is more secure??

load more comments (2 replies)
[–] Semi_Hemi_Demigod@lemmy.world 0 points 1 month ago (2 children)

One thing they should change is the word "password." This implies that it's a short string. Changing it to "passphrase" will help people feel comfortable choosing credentials like "correct horse battery staple."

load more comments (2 replies)
load more comments
view more: next ›