SoylentNews is people
SoylentNews
Submitted via IRC for Bytram
We've all been forced to do it: create a password with at least so many characters, so many numbers, so many special characters, and maybe an uppercase letter. Guess what? The guy who invented these standards nearly 15 years ago now admits that they're basically useless. He is also very sorry.
[The 2003 NIST guidance has been replaced by a new version of NIST Special Publication 800-63A, "Digital Identity Guidelines: Enrollment and Identity Proofing Requirements." which is basically a 180° reversal from the original. - Ed.]
Source: http://gizmodo.com/the-guy-who-invented-those-annoying-password-rules-now-1797643987
Additional Coverage at The Wall Street Journal[paywalled]
This discussion has been archived.
No new comments can be posted.
The Guy Who Invented Those Annoying Password Rules Now Regrets It
|
Log In/Create an Account
| Top
| 24 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Don't feed the bats tonight.
(Score: 0) by Anonymous Coward on Friday August 18 2017, @05:05PM (2 children)
If your long password uses all "findable in a dictionary" word combinations, then you should be able to feed them to your password guessing algorithm first, then move on to random character brute force later. This is one reason why I think you need to add a bit of "h4x0r153d" changes to your password. For me, I often take a phrase I know (maybe a line from a movie say) and then modify it a bit. For example "Go ahead, make my day" is pretty easy to remember and modifying it slightly (like maybe use 2 spaces between one of the words or put numbers in one of them or etc) seems like a better idea. What I REALLY like about the new recommendations is the idea of not forcing people to come up with new passwords on a regular basis. If someone takes the time to make-up a really good password, then forcing them to keep coming up with new ones just forces them to find a way to store it somewhere other than their brain!
(Score: 2) by curunir_wolf on Friday August 18 2017, @05:26PM
In the document, the recommendation is to REMOVE multiple sequential spaces so that there is only one space. So for systems that implement those recommendations you won't get a better password by adding multiple spaces between words...
I am a crackpot
(Score: 0) by Anonymous Coward on Monday August 21 2017, @04:28AM
Well, do think of what brute forcing a "findable in a dictionary" word combinations password would entail though. If I had a six word password, and I used a known set of 2048 common words as suggested in XKCD 936, choosing each of the six words by a strong random number generator, brute forcing that would require searching through a key space of 20486 or about 7.37ยท1019 possible passwords. That's roughly the same as attempting to break a 66-bit symmetric key. If a hacker managed to steal the hashed and salted passwords and set up some system capable of computing ten trillion hashes per second (something like the power of a respectable Bitcoin mining ASIC worth a few thousand dollars), it would still take nearly three months to crack, so presumably then you'd want to change your password at least every two months. Adding a seventh word would increase the cracking time for the same hashing rig to 480 years, which gives you a bit of security even against a well-funded adversary with the resources of a medium to large corporation. You'd need 12 words (132 bits of entropy) to get to the point where not even intelligence agencies would be able to break it, assuming you are using a true, strong random number generator with no back doors to choose your words.
And yes, while adding a bit of "h4x0r153d" changes can't hurt security, it will make the password harder to remember, and if you do wind up forgetting it thanks to these changes, it means fuck all that you've made your password more secure since you then can't remember it!