this post was submitted on 26 Sep 2024
13 points (100.0% liked)

Technology

59587 readers
5236 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
L4s@lemmy.world
L3s@fry.gs
L4s@fry.gs
enu@lemmy.world
13
NIST proposes barring some of the most nonsensical password rules (arstechnica.com)
submitted 1 month ago by Amicitas@lemmy.world to c/technology@lemmy.world
163 comments fedilink hide all child comments
 

Here is the text of the NIST sp800-63b Digital Identity Guidelines.

(page 2) 50 comments
sorted by: hot top controversial new old
[–] BelatedPeacock@lemmy.world 0 points 1 month ago

At roughly 35,000 words and filled with jargon and bureaucratic terms, the document is nearly impossible to read all the way through and just as hard to understand fully.

A section devoted to passwords injects a large helping of badly needed common sense practices that challenge common policies. An example: The new rules bar the requirement that end users periodically change their passwords. This requirement came into being decades ago when password security was poorly understood, and it was common for people to choose common names, dictionary words, and other secrets that were easily guessed.

Since then, most services require the use of stronger passwords made up of randomly generated characters or phrases. When passwords are chosen properly, the requirement to periodically change them, typically every one to three months, can actually diminish security because the added burden incentivizes weaker passwords that are easier for people to set and remember.

A.k.a use a password manager for most things and a couple of long complex passwords for things that a password manager wouldn't work for (the password manager's password, encrypted system partitions, etc). I'm assuming In just summed up 35,000 words.

[–] PenisDuckCuck9001@lemmynsfw.com 0 points 1 month ago* (last edited 1 month ago) (1 children)

Please ban all the stupid password rules. I would rather just get hacked than be required to come up with an impossible to remember password with ever-increasing requirements once a month. It's too much.

[–] darklamer@lemmy.dbzer0.com 0 points 1 month ago

Please ban all the stupid password rules.

Yes.

I would rather just get hacked […]

Eh, no.

[–] cmnybo@discuss.tchncs.de 0 points 1 month ago (4 children)

Any password length (within reason) and any character should be allowed. It's going to be hashed and only the hash will be stored right? Length and character limits make me suspect it's being stored in plain text.

[–] escapesamsara@lemmings.world 0 points 1 month ago (1 children)

Then you're vulnerable to simple brute force attacks, which if paired with a dumped hash table, can severely cut the time it takes to solve the hash and reveal all passwords.

[–] cmnybo@discuss.tchncs.de 0 points 1 month ago (2 children)

By any length I meant no maximum length. Obviously you don't want to use a super short password.

[–] MelodiousFunk@slrpnk.net 0 points 1 month ago (1 children)

"What's your password?"

"The letter A."

[–] catloaf@lemm.ee 0 points 1 month ago

Mine is the null string. They'll never guess it!

load more comments (1 replies)
[–] frezik@midwest.social 0 points 1 month ago (1 children)

Rules here are 64 as a reasonable maximum. A lot of programmers don't realize that bcrypt and scrypt max at 72 bytes (which may or may not be the same as 72 characters). You can get around it by prehashing, but meh. This is long enough even for a reasonable passphrase scheme.

load more comments (1 replies)
[–] AliasVortex@lemmy.world 0 points 1 month ago (3 children)

I don't know about a min length; setting a lenient lower bound means that any passwords in that space are going to be absolutely brutal force-able (and because humans are lazy, there are almost certainly be passwords clustered around the minimum).

I very much agree with the rest though, it's unnerving when sites have a low max length. It almost feels like advertising that passwords aren't being hashed and if that's the case there's a snowball's chance in hell that they're also salted. Really restrictive character sets also tell me that said site / company either has super old infra or doesn't know how to sanitize strings (or entirely likely both)...

load more comments (3 replies)
load more comments (1 replies)
load more comments
view more: ‹ prev next ›