NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:
-Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.
-Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.
-Let people use password managers. This is how we deal with all the passwords we need.
These password rules were failed attempts to fix the user. Better we fix the security systems.
Does this mean we can stop composing our passwords like Q*bert?
(Score: 2) by vux984 on Wednesday October 11 2017, @01:00AM (6 children)
I just generate passwords for them; and save them in my password manager.
What is your mother's maiden name?
asdfakjfkjf32lkjf2439ergavakghg2h
Who was your best friend when you were 12?
zvnmmn224guagvbaf2thahgasdf3eg
etc...
If you use a password manager, your never going to need these recovery questions anyway. And if you lose your password manager, you lost these answers... so either way its moot. I opt out if I can, or stuff them with garbage. A few sites will ask you a security question on top of your password the first time you login from an new browser etc so for those its an extra step, but for the most part the most tedious thing about password recovery questions is that they exist at all.
Step 1: choose a difficult password with 10 characters, 3 numbers, 2 special characters, 3 capitals, that also doesn't appear on some list we use etc etc etc...
Step 2: to recover your password, choose 3 single english word answers to questions that half the people that know you could answer, and the rest could answer by stalking you on facebook... or if you were clever enough to not to have a facebook account, they can still probably get the answers to most of them by facebook stalking your sister instead. (mothers maiden name, city you grew up in, your favorite uncles first name, your first pet... etc, etc...). Oh... and I think my favorite was when the office decided to a know your fellow employee treasure hunt one year and had as all fill out a series of questions -- "favorite sport, city you grew up in, how many siblings etc..." the idea was that we'd then go around and try and find the employee whose favorite sport was curling, and who had 6 sisters, and who had been born in Tenessee... etc etc but it was basically a list of all the sorts of questions these password recovery sites use.
Step 2a: At least one of these questions will stump you 5 years from now even if you answered completely honestly. Seriously..."What is your favorite food" ... I have no idea what i'd put as my favorite food today.... let alone what I came up with 5 years ago when some site forced me to fill it out.
So yeah, I use generated gibberish now, and its never been an issue... so far.
(Score: 2, Interesting) by Anonymous Coward on Wednesday October 11 2017, @04:11AM (2 children)
One alternative I've used in the past was normalizing and the hashing the question and a salt and using what that spits out as the answer. Easy to duplicate and nothing to remember.
(Score: 2) by rylyeh on Wednesday October 11 2017, @07:25AM (1 child)
Nice! Never thought of that!
"a vast crenulate shell wherein rode the grey and awful form of primal Nodens, Lord of the Great Abyss."
(Score: 2) by FatPhil on Wednesday October 11 2017, @09:27AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Wednesday October 11 2017, @12:48PM
That's what I used to think. Until I needed to change my e-mail address for Battle.NET. Nope, password is not enough, has to answer the security question. And apparently I don't know exactly how I spelled the answer.
Now I generate a second password for those stupid security questions and put it in the "comment" field in my password manager. Wouldn't want it to be the same as my password as there is a higher likelihood that a support person will get the answer shown on their screen, as those "security" questions are generally thought to need to be less secure than the password they are often used to reset.
(Score: 2) by Osamabobama on Wednesday October 11 2017, @08:15PM (1 child)
Those non-Latin alphabets never display quite right for me. It that a central Asian name?
Appended to the end of comments you post. Max: 120 chars.
(Score: 2) by Yog-Yogguth on Sunday October 15 2017, @11:14AM
Indeed it is! If you squint you'll notice it's the ASCII-art version of UTF-8 Telugu (scroll down and look at the sample text here [omniglot.com] and how they compressed the alphabet into Unicode here [wikipedia.org]). Telugu is the world's 15th most spoken language with at least 75 million speakers (wiki link [wikipedia.org]).
Her name is "Daisy" :P
I can't speak Telugu, it's all Dravidian to me (another link [wikipedia.org]). (I don't speak Greek either).
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))