Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Tuesday October 10 2017, @09:30PM   Printer-friendly
from the gud1dea dept.

Schneier on Security:

NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:

-Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.

-Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.

-Let people use password managers. This is how we deal with all the passwords we need.

These password rules were failed attempts to fix the user. Better we fix the security systems.

Does this mean we can stop composing our passwords like Q*bert?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Interesting) by RedBear on Wednesday October 11 2017, @12:09PM (1 child)

    by RedBear (1734) on Wednesday October 11 2017, @12:09PM (#580411)

    We are not in disagreement. Offline air-gapped password store (that never touches a USB device either) is a great idea if you're dealing with anything more important than some personal accounts. But nobody will ever go to those lengths for personal things, just like nobody has ever bothered to change their passwords regularly, use random passwords, use long passwords, or use different passwords for different services. What the password manager does for us is it reduces the attack profile from a completely unmanageable [my computer] + [200 very badly run web services] to just [my computer]. From totally out of our individual control to kinda, sorta in our control.

    If you get malware on your machine that is capable of stealing passwords from your password manager, similar malware could also just scan files or any other open applications that might be storing your passwords. Such things have existed for decades. That's just the reality of imperfect computing security in an imperfect networked world. Best we can do is use password managers that don't do dumb things like transmitting unencrypted data across the internet or storing your passwords locally in the clear.

    If you're running a nuclear facility, a password manager is probably not a great idea. Then again, the reality is that people who run such facilities often make such terrible security choices that a password manager could actually be an improvement. How's that for a scary thought?

    --
    ¯\_ʕ◔.◔ʔ_/¯ LOL. I dunno. I'm just a bear.
    ... Peace out. Got bear stuff to do. 彡ʕ⌐■.■ʔ
    Starting Score:    1  point
    Moderation   +2  
       Insightful=1, Interesting=1, Total=2
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 1) by pTamok on Wednesday October 11 2017, @01:49PM

    by pTamok (3042) on Wednesday October 11 2017, @01:49PM (#580459)

    Modded you up. I agree entirely that laziness trumps security, and you once again point out the real benefits of password managers.

    And I agree re: nuclear facilities, and in fact many process-control and SCADA applications. Security is just not baked in. If somebody messes with process control in an oil refinery, or a chemical plant, or a dam, really nasty things could happen.