SoylentNews is people
SoylentNews
NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:
-Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.
-Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.
-Let people use password managers. This is how we deal with all the passwords we need.
These password rules were failed attempts to fix the user. Better we fix the security systems.
Does this mean we can stop composing our passwords like Q*bert?
(Score: 2) by frojack on Tuesday October 10 2017, @10:26PM (2 children)
I've got one bank account I manage that wants to ask you a security question for EACH function, and have you remember them.
That's bad enough for a personal account, but its a business account.
So as account handlers (employees) get swapped out over time, when ever one of these functions is needed, (adding a new Payee for example) they have to call up the old account handler, as him what his best childhood friend's first name was, write that down. Then the repeat the process the next time they want to change a mailing address or phone number.
And god help you if you log in from a different IP. Now you need two passwords or security questions.
Jeeze, just give me a Yubikey [yubico.com] and be done with it. At least I could put that in the safe. Now what was that safe combo?
No, you are mistaken. I've always had this sig.
(Score: 3, Interesting) by NewNic on Tuesday October 10 2017, @11:54PM (1 child)
At least one bank in the UK has a 2FA using your debit card. They issue you a card reader, and ehen you want to do a transaction like sending money, you slip the card into the reader, enter your card's PIN, then enter a number provided by the website. Finally, you type the number that the card reader returned back into the website.
It does require cards with chips, which have been in use in Europe for a lot longer than in the USA.
There is another factor with the way things work in the UK: it's actually simple and efficient to send money electronically directly from one bank account to another, both within the UK and internationally. I don't believe British people can imagine how difficult that task is in the USA.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 0) by Anonymous Coward on Wednesday October 11 2017, @12:35PM
If it's anything like the German chip/tan system, it's orders of magnitude better than regular 2-factor authentication.
Regular 2-factor is only valid once or for one minute (depending on the version). Either way, a man in the middle attack (or "man in the browser", for those who think that anything not stopped by SSL cannot be called MITM) can just replace the amount and account number. The chip/tan code on the other hand is basically a digital signature of the transaction id, target account and amount, which are also shown on the screen on the device itself (which has no connection to the computer).
When done correctly, that number you enter is only valid for the amount and target account shown on the device screen.