Stories
Slash Boxes
Comments

SoylentNews is people

Latest NIST Guidelines on Password Policies

posted by martyb on Friday August 19 2016, @07:32PM   Printer-friendly
from the keeping-things-to-yourself dept.

Bill Dimm writes:

The latest NIST (United States National Institute for Standards and Technology) guidelines on password policies recommend a minimum of 8 characters. Perhaps more interesting is what they recommend against. They recommend against allowing password hints, requiring the password to contain certain characters (like numeric digits or upper-case characters), using knowledge-based authentication (e.g., what is your mother's maiden name?), using SMS (Short Message Service) for two-factor authentication, or expiring passwords after some amount of time. They also provide recommendations on how password data should be stored.

[Ed. Note: Contrary to common practice, I would advocate reading the entire linked article so we can have an informed discussion on the many recommendations in the proposal. What has been your experience with password policies? Do the recommendations rectify problems you have seen? Is it reasonable to expect average users to follow the recommendations? What have they left out?]

Original Submission

 
This discussion has been archived. No new comments can be posted.
Latest NIST Guidelines on Password Policies | Log In/Create an Account | Top | 58 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by edIII on Friday August 19 2016, @11:12PM

    by edIII (791) on Friday August 19 2016, @11:12PM (#390326)

    I honestly don't understand the point you're trying to make. Yes, exponents result in MUCH larger numbers than simple multiplication.... but that's because it's multiplication over and over again. I'm sure you know that :)

    However, what is the exponent again? The exponent is the number of selections you're making (password length) and the base is the total number of possibilities for that selection. At least when you want permutations of something.

    My point remains. Keyspace is exponential of course, but one of them is larger than the other. You failed to note that:

    62 ^ 12 - 3226266762397899821056

    That's quite a bit bigger than 218340105584896 (26 ^12). Which seems like we have a game of leap frog going on, and I'm gonna win with every character added :)

    The best password is a unique phrase that you can reliably reproduce

    Only for the user. Security is evaluated quite impartially by simply looking at keyspace, probabilities, etc.

    Not unless that base is quite large, and exponent isn't small, will you see the keyspace expand to over 70 orders of magnitude (minimum for me, although I feel a lot more comfortable at 100). You still need at least 8 characters before exponents start "creating walls" that make brute force not a viable activity. Using just characters that base is only 26. Capitals gives us 52. Adding in numbers gives us 62. Allowing a short range of symbols can give us upwards of 90. That makes a big difference.

    Exponents also don't mean much when you take a closer look at the keyspace. Don't be fooled into thinking your phrases protect you, when they actually reduce keyspace. Any time you can infer a pattern, you're reducing keyspace. Squirrel seems like a good 8 characters, but it is in fact only ONE well known word. It's a single record in a Rainbow table, and doesn't represent the keyspace implied by 8 random characters. Likewise, 5 well known words do not represent 25+ selections against the alphabet. They represent 5 selections against the dictionary of words we know.

    You need to work a little hard to increase keyspace, and reduce keyspace weaknesses by randomizing it a bit further. The adding of numbers or symbols dramatically increases keyspace, while not making it all that much more harder to remember.

    --
    Technically, lunchtime is at any moment. It's just a wave function.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 3, Insightful) by stormwyrm on Saturday August 20 2016, @03:00PM

    by stormwyrm (717) on Saturday August 20 2016, @03:00PM (#390578) Journal
    The point the GP was trying to make is that lengthening the password is far more effective than increasing the possible characters in the password. Which is why password length restrictions are extremely irksome. If you have an XKCD 936-style password with seven words, that would be 20487, 1.51×1023 possible passwords (77 bits of entropy). Note that a password generated according to that system uses all lowercase letters, it beats the shit out of your 12-character password entropy-wise (6212 is only 3.22×1021 or 71 bits, so my password is two orders of magnitude stronger than yours), and above all, IT IS MUCH EASIER FOR HUMANS TO REMEMBER! Humans are the weak link here, so why the hell would you not exploit the natural ability of people to generate connections between random words (I do it by inventing stories) as opposed to forcing people into the sorts of memory games which are unnatural to human cognition? Do you really hate your users that much as you have said earlier? If you do, then they will hate you right back and undermine your user-unfriendly policy every chance they get. Security, to be effective, must also be usable.
    --
    Numquam ponenda est pluralitas sine necessitate.