Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Tuesday October 10 2017, @09:30PM   Printer-friendly
from the gud1dea dept.

Schneier on Security:

NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:

-Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.

-Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.

-Let people use password managers. This is how we deal with all the passwords we need.

These password rules were failed attempts to fix the user. Better we fix the security systems.

Does this mean we can stop composing our passwords like Q*bert?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Informative) by davidjohnpaul on Tuesday October 10 2017, @10:22PM (7 children)

    by davidjohnpaul (5377) on Tuesday October 10 2017, @10:22PM (#580116) Homepage

    Schneier also suggests using a password manager. If you use the long phrase to protect it, with it auto-generating all your other passwords for you, then the lack of long phrases that immediately come to mind is less of a problem.

    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  

    Total Score:   2  
  • (Score: 3, Informative) by frojack on Tuesday October 10 2017, @10:38PM (6 children)

    by frojack (1554) on Tuesday October 10 2017, @10:38PM (#580127) Journal

    Yes, his point number 3 above.

    But if you use a long passphrase, then you need to type that long passphrase 100 times a day. That gets old.

    I use a shore-ish password to get into my password manager. It locks after three failed tries anyway.

    I have that password tattooed on the bottom of my left foot. I have "other foot" tattooed on the bottom of my right foot.

    --
    No, you are mistaken. I've always had this sig.
    • (Score: 5, Funny) by bzipitidoo on Wednesday October 11 2017, @12:44AM (1 child)

      by bzipitidoo (4388) on Wednesday October 11 2017, @12:44AM (#580188) Journal

      You could be in trouble if you ever need one foot amputated. If it's the left foot, you lose your master password. If it's the right, the surgeons might mistake that tattoo as a message for them and amputate your left and you still lose your password.

      • (Score: 1) by DECbot on Thursday October 12 2017, @12:41AM

        by DECbot (832) on Thursday October 12 2017, @12:41AM (#580878) Journal

        No, he'll be okay because he has "other foot" tattooed on the bottom of his feet.

        --
        cats~$ sudo chown -R us /home/base
    • (Score: 1, Informative) by Anonymous Coward on Wednesday October 11 2017, @12:56AM (1 child)

      by Anonymous Coward on Wednesday October 11 2017, @12:56AM (#580192)

      I use a shor[t]-ish password to get into my password manager. It locks after three failed tries anyway.

      What's your threat model? You walk away from the computer then an attacker walks up and tries to open the password manager? Couldn't that attacker make a copy of the password manager's database, then try guessing the master password at his leisure, resetting the counter when he guesses wrong?

      • (Score: 0) by Anonymous Coward on Wednesday October 11 2017, @12:40PM

        by Anonymous Coward on Wednesday October 11 2017, @12:40PM (#580429)

        resetting the counter when he guesses wrong?

        Password-guessing software doesn't bother to update the counter in the first place.

    • (Score: 2) by maxwell demon on Wednesday October 11 2017, @09:00AM

      by maxwell demon (1608) on Wednesday October 11 2017, @09:00AM (#580352) Journal

      I see, your password is "this foot".

      --
      The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 2) by lgw on Wednesday October 11 2017, @06:25PM

      by lgw (2836) on Wednesday October 11 2017, @06:25PM (#580660)

      You don't fool me. "Other foot" is your actual password!