SoylentNews is people
SoylentNews
NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:
-Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.
-Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.
-Let people use password managers. This is how we deal with all the passwords we need.
These password rules were failed attempts to fix the user. Better we fix the security systems.
Does this mean we can stop composing our passwords like Q*bert?
(Score: 4, Informative) by frojack on Tuesday October 10 2017, @10:14PM (19 children)
This was news back in June when it came out, and in August [soylentnews.org] when it was first covered in SoylentNews. (in other words: Dup!)
Schneier is one of the few that has been stating this long before the NIST decided to get on the bandwagon.
The rest of the security parrots have been touting crapword and punctuation and expiration for literally decades.
(Schneier's personal recommendation [schneier.com] isn't all that practical itself if you ask me. It tends to require you to re-use passwords simply because there aren't that many long phrases that immediately come to mind such that you can have one for each login).
His general recommendation is:
No, you are mistaken. I've always had this sig.
(Score: 2, Informative) by davidjohnpaul on Tuesday October 10 2017, @10:22PM (7 children)
Schneier also suggests using a password manager. If you use the long phrase to protect it, with it auto-generating all your other passwords for you, then the lack of long phrases that immediately come to mind is less of a problem.
(Score: 3, Informative) by frojack on Tuesday October 10 2017, @10:38PM (6 children)
Yes, his point number 3 above.
But if you use a long passphrase, then you need to type that long passphrase 100 times a day. That gets old.
I use a shore-ish password to get into my password manager. It locks after three failed tries anyway.
I have that password tattooed on the bottom of my left foot. I have "other foot" tattooed on the bottom of my right foot.
No, you are mistaken. I've always had this sig.
(Score: 5, Funny) by bzipitidoo on Wednesday October 11 2017, @12:44AM (1 child)
You could be in trouble if you ever need one foot amputated. If it's the left foot, you lose your master password. If it's the right, the surgeons might mistake that tattoo as a message for them and amputate your left and you still lose your password.
(Score: 1) by DECbot on Thursday October 12 2017, @12:41AM
No, he'll be okay because he has "other foot" tattooed on the bottom of his feet.
cats~$ sudo chown -R us /home/base
(Score: 1, Informative) by Anonymous Coward on Wednesday October 11 2017, @12:56AM (1 child)
What's your threat model? You walk away from the computer then an attacker walks up and tries to open the password manager? Couldn't that attacker make a copy of the password manager's database, then try guessing the master password at his leisure, resetting the counter when he guesses wrong?
(Score: 0) by Anonymous Coward on Wednesday October 11 2017, @12:40PM
Password-guessing software doesn't bother to update the counter in the first place.
(Score: 2) by maxwell demon on Wednesday October 11 2017, @09:00AM
I see, your password is "this foot".
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by lgw on Wednesday October 11 2017, @06:25PM
You don't fool me. "Other foot" is your actual password!
(Score: 3, Interesting) by richtopia on Tuesday October 10 2017, @11:19PM (8 children)
How do you beware the secret question? It is mandatory for most applications to provide security questions, so I cannot opt-out of them. Is the recommendation to treat secret answers as passwords: unique ones per site? Even with a password manager that feels tedious.
(Score: 0) by Anonymous Coward on Wednesday October 11 2017, @12:25AM
That's my own practice. I am wary of giving true answers, because the true answers to some of those questions could be discovered by an attacker and because there's a tendency for various sites to use the same security questions. If one gives true answers, and one site is compromised, then the attacker has the answers for all sites that used the same question(s).
(Score: 2) by vux984 on Wednesday October 11 2017, @01:00AM (6 children)
I just generate passwords for them; and save them in my password manager.
What is your mother's maiden name?
asdfakjfkjf32lkjf2439ergavakghg2h
Who was your best friend when you were 12?
zvnmmn224guagvbaf2thahgasdf3eg
etc...
If you use a password manager, your never going to need these recovery questions anyway. And if you lose your password manager, you lost these answers... so either way its moot. I opt out if I can, or stuff them with garbage. A few sites will ask you a security question on top of your password the first time you login from an new browser etc so for those its an extra step, but for the most part the most tedious thing about password recovery questions is that they exist at all.
Step 1: choose a difficult password with 10 characters, 3 numbers, 2 special characters, 3 capitals, that also doesn't appear on some list we use etc etc etc...
Step 2: to recover your password, choose 3 single english word answers to questions that half the people that know you could answer, and the rest could answer by stalking you on facebook... or if you were clever enough to not to have a facebook account, they can still probably get the answers to most of them by facebook stalking your sister instead. (mothers maiden name, city you grew up in, your favorite uncles first name, your first pet... etc, etc...). Oh... and I think my favorite was when the office decided to a know your fellow employee treasure hunt one year and had as all fill out a series of questions -- "favorite sport, city you grew up in, how many siblings etc..." the idea was that we'd then go around and try and find the employee whose favorite sport was curling, and who had 6 sisters, and who had been born in Tenessee... etc etc but it was basically a list of all the sorts of questions these password recovery sites use.
Step 2a: At least one of these questions will stump you 5 years from now even if you answered completely honestly. Seriously..."What is your favorite food" ... I have no idea what i'd put as my favorite food today.... let alone what I came up with 5 years ago when some site forced me to fill it out.
So yeah, I use generated gibberish now, and its never been an issue... so far.
(Score: 2, Interesting) by Anonymous Coward on Wednesday October 11 2017, @04:11AM (2 children)
One alternative I've used in the past was normalizing and the hashing the question and a salt and using what that spits out as the answer. Easy to duplicate and nothing to remember.
(Score: 2) by rylyeh on Wednesday October 11 2017, @07:25AM (1 child)
Nice! Never thought of that!
"a vast crenulate shell wherein rode the grey and awful form of primal Nodens, Lord of the Great Abyss."
(Score: 2) by FatPhil on Wednesday October 11 2017, @09:27AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Wednesday October 11 2017, @12:48PM
That's what I used to think. Until I needed to change my e-mail address for Battle.NET. Nope, password is not enough, has to answer the security question. And apparently I don't know exactly how I spelled the answer.
Now I generate a second password for those stupid security questions and put it in the "comment" field in my password manager. Wouldn't want it to be the same as my password as there is a higher likelihood that a support person will get the answer shown on their screen, as those "security" questions are generally thought to need to be less secure than the password they are often used to reset.
(Score: 2) by Osamabobama on Wednesday October 11 2017, @08:15PM (1 child)
Those non-Latin alphabets never display quite right for me. It that a central Asian name?
Appended to the end of comments you post. Max: 120 chars.
(Score: 2) by Yog-Yogguth on Sunday October 15 2017, @11:14AM
Indeed it is! If you squint you'll notice it's the ASCII-art version of UTF-8 Telugu (scroll down and look at the sample text here [omniglot.com] and how they compressed the alphabet into Unicode here [wikipedia.org]). Telugu is the world's 15th most spoken language with at least 75 million speakers (wiki link [wikipedia.org]).
Her name is "Daisy" :P
I can't speak Telugu, it's all Dravidian to me (another link [wikipedia.org]). (I don't speak Greek either).
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
(Score: 2) by NewNic on Tuesday October 10 2017, @11:56PM (1 child)
I would add one more:
5. Make sure that the password to each of email accounts is never re-used anywhere else.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 2) by FatPhil on Wednesday October 11 2017, @09:28AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves