Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday August 19 2016, @07:32PM   Printer-friendly
from the keeping-things-to-yourself dept.

The latest NIST (United States National Institute for Standards and Technology) guidelines on password policies recommend a minimum of 8 characters. Perhaps more interesting is what they recommend against. They recommend against allowing password hints, requiring the password to contain certain characters (like numeric digits or upper-case characters), using knowledge-based authentication (e.g., what is your mother's maiden name?), using SMS (Short Message Service) for two-factor authentication, or expiring passwords after some amount of time. They also provide recommendations on how password data should be stored.

[Ed. Note: Contrary to common practice, I would advocate reading the entire linked article so we can have an informed discussion on the many recommendations in the proposal. What has been your experience with password policies? Do the recommendations rectify problems you have seen? Is it reasonable to expect average users to follow the recommendations? What have they left out?]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by stormwyrm on Friday August 19 2016, @11:32PM

    by stormwyrm (717) on Friday August 19 2016, @11:32PM (#390334) Journal

    They recommend against ... requiring the password to contain certain characters (like numeric digits or upper-case characters)...

    Let's see. So if you had an alphanumeric, case-sensitive 8-character password, each letter could have 60 possibilities for it, roughly 5.9 bits of entropy. At 8 characters, that would be 1.6×1014 possible passwords (47.25 bits of entropy). Now, if you restricted one of the characters to being a digit, that would be seven characters (41.3 bits of entropy) plus a numeric character (10 possibilities, 3.3 bits of entropy) at the end (because this is what most people will do if not restricted otherwise), that leaves us with 44.67 bits of entropy, or 2.8×1013 possible passwords. Forcing the restriction has cut the space by about an order of magnitude.

    However, if you could enforce random positioning of the digit somehow, e.g. by making the password checker move the digit to a random position, that would again be seven characters (41.3 bits) plus a numeric character (3.3 bits) plus eight positions (3 bits) for a total of 47.3 bits of entropy, slightly increasing the strength of the password. But no one is going to do that, and the digit will most likely be in a predictable position.

    Forcing people to use upper-case characters in addition to numbers will also weaken the password even more. Again, when faced with this restriction, people will tend to put the capital letter at the beginning and the digit at the end, so for an 8-character password that would be six characters (35.4 bits), plus one capital letter (4.7 bits), plus one digit (3.3 bits) for a total entropy of 43.4 bits, 1.2×1013 total possibilities.

    --
    Numquam ponenda est pluralitas sine necessitate.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by stormwyrm on Saturday August 20 2016, @12:33AM

    by stormwyrm (717) on Saturday August 20 2016, @12:33AM (#390358) Journal
    I feel silly, there are 62 possibilities per alphanumeric character. That doesn't change the argument in the slightest though. One character is 5.95 bits of entropy. Eight characters is 2.18×1014 possible passwords (47.63 bits of entropy). Restricting the last character to being a digit makes for seven characters (41.65 bits) plus a digit (3.32 bits) for 45.00 bits of entropy or 3.52×1013 possible passwords. At a random position that's seven characters (41.65 bits) plus a digit (3.32 bits) at one of eight possible random positions (exactly 3 bits) for 48.00 bits of entropy or 2.82×1014 possible passwords, a rather insignificant change. One capital letter at the start (26 possibilities, 4.70 bits), 6 random characters (35.72 bits) and a digit at the end (3.32 bits) makes 43.74 bits total or 1.48×1013 possible passwords.
    --
    Numquam ponenda est pluralitas sine necessitate.