Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Tuesday October 10 2017, @09:30PM   Printer-friendly
from the gud1dea dept.

Schneier on Security:

NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:

-Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.

-Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.

-Let people use password managers. This is how we deal with all the passwords we need.

These password rules were failed attempts to fix the user. Better we fix the security systems.

Does this mean we can stop composing our passwords like Q*bert?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by vux984 on Wednesday October 11 2017, @01:00AM (6 children)

    by vux984 (5045) on Wednesday October 11 2017, @01:00AM (#580195)

    How do you beware the secret question? It is mandatory for most applications to provide security questions, so I cannot opt-out of them. Is the recommendation to treat secret answers as passwords: unique ones per site?

    I just generate passwords for them; and save them in my password manager.

    What is your mother's maiden name?

    asdfakjfkjf32lkjf2439ergavakghg2h

    Who was your best friend when you were 12?

    zvnmmn224guagvbaf2thahgasdf3eg

    etc...

    Even with a password manager that feels tedious.

    If you use a password manager, your never going to need these recovery questions anyway. And if you lose your password manager, you lost these answers... so either way its moot. I opt out if I can, or stuff them with garbage. A few sites will ask you a security question on top of your password the first time you login from an new browser etc so for those its an extra step, but for the most part the most tedious thing about password recovery questions is that they exist at all.

    Step 1: choose a difficult password with 10 characters, 3 numbers, 2 special characters, 3 capitals, that also doesn't appear on some list we use etc etc etc...

    Step 2: to recover your password, choose 3 single english word answers to questions that half the people that know you could answer, and the rest could answer by stalking you on facebook... or if you were clever enough to not to have a facebook account, they can still probably get the answers to most of them by facebook stalking your sister instead. (mothers maiden name, city you grew up in, your favorite uncles first name, your first pet... etc, etc...). Oh... and I think my favorite was when the office decided to a know your fellow employee treasure hunt one year and had as all fill out a series of questions -- "favorite sport, city you grew up in, how many siblings etc..." the idea was that we'd then go around and try and find the employee whose favorite sport was curling, and who had 6 sisters, and who had been born in Tenessee... etc etc but it was basically a list of all the sorts of questions these password recovery sites use.

    Step 2a: At least one of these questions will stump you 5 years from now even if you answered completely honestly. Seriously..."What is your favorite food" ... I have no idea what i'd put as my favorite food today.... let alone what I came up with 5 years ago when some site forced me to fill it out.

    So yeah, I use generated gibberish now, and its never been an issue... so far.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2, Interesting) by Anonymous Coward on Wednesday October 11 2017, @04:11AM (2 children)

    by Anonymous Coward on Wednesday October 11 2017, @04:11AM (#580284)

    One alternative I've used in the past was normalizing and the hashing the question and a salt and using what that spits out as the answer. Easy to duplicate and nothing to remember.

    • (Score: 2) by rylyeh on Wednesday October 11 2017, @07:25AM (1 child)

      by rylyeh (6726) <{kadath} {at} {gmail.com}> on Wednesday October 11 2017, @07:25AM (#580330)

      Nice! Never thought of that!

      --
      "a vast crenulate shell wherein rode the grey and awful form of primal Nodens, Lord of the Great Abyss."
      • (Score: 2) by FatPhil on Wednesday October 11 2017, @09:27AM

        by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Wednesday October 11 2017, @09:27AM (#580361) Homepage
        Until they slightly change the wording of a question.
        --
        Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
  • (Score: 0) by Anonymous Coward on Wednesday October 11 2017, @12:48PM

    by Anonymous Coward on Wednesday October 11 2017, @12:48PM (#580433)

    If you use a password manager, your never going to need these recovery questions anyway.

    That's what I used to think. Until I needed to change my e-mail address for Battle.NET. Nope, password is not enough, has to answer the security question. And apparently I don't know exactly how I spelled the answer.

    Now I generate a second password for those stupid security questions and put it in the "comment" field in my password manager. Wouldn't want it to be the same as my password as there is a higher likelihood that a support person will get the answer shown on their screen, as those "security" questions are generally thought to need to be less secure than the password they are often used to reset.

  • (Score: 2) by Osamabobama on Wednesday October 11 2017, @08:15PM (1 child)

    by Osamabobama (5842) on Wednesday October 11 2017, @08:15PM (#580768)

    What is your mother's maiden name?

    asdfakjfkjf32lkjf2439ergavakghg2h

    Those non-Latin alphabets never display quite right for me. It that a central Asian name?

    --
    Appended to the end of comments you post. Max: 120 chars.
    • (Score: 2) by Yog-Yogguth on Sunday October 15 2017, @11:14AM

      by Yog-Yogguth (1862) Subscriber Badge on Sunday October 15 2017, @11:14AM (#582601) Journal

      Indeed it is! If you squint you'll notice it's the ASCII-art version of UTF-8 Telugu (scroll down and look at the sample text here [omniglot.com] and how they compressed the alphabet into Unicode here [wikipedia.org]). Telugu is the world's 15th most spoken language with at least 75 million speakers (wiki link [wikipedia.org]).

      Her name is "Daisy" :P

      I can't speak Telugu, it's all Dravidian to me (another link [wikipedia.org]). (I don't speak Greek either).

      --
      Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))