Stories
Slash Boxes
Comments

SoylentNews is people

Changes in Password Best Practices

posted by mrpg on Tuesday October 10 2017, @09:30PM   Printer-friendly
from the gud1dea dept.

Phoenix666 writes:

Schneier on Security:

NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:

-Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.

-Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.

-Let people use password managers. This is how we deal with all the passwords we need.

These password rules were failed attempts to fix the user. Better we fix the security systems.

Does this mean we can stop composing our passwords like Q*bert?

Original Submission

 
This discussion has been archived. No new comments can be posted.
Changes in Password Best Practices | Log In/Create an Account | Top | 72 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Wednesday October 11 2017, @12:00PM

    by Anonymous Coward on Wednesday October 11 2017, @12:00PM (#580405)

    I highly recommend password managers, but not commercial ones. Use one of the well vetted open source ones. With a commercial manager, nobody but the company has any idea whether or not the crypto used to store the passwords is crap or not, until it is too late. With open source password managers, a few greps will tell me which crypto library is used, which algorithm, and what mode/mac is used. A quick peek at the relevant files will indicate whether or not the password and key data is protected from being swapped out to swap space or the page file and whether any kind of stretching on the master password is used. It really doesn't take long, and you really don't even need to do all this because it has already been done. The open source password managers that are commonly recommended have already been vetted.

    You don't even need to use a password manager if you are using full disk encryption and don't leave your machines running unattended; assuming you can prevent shoulder surfing. In this case, a text file will do. If you get some kind of malware or don't secure your OS, all bets are off.