SoylentNews is people
SoylentNews
NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:
-Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.
-Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.
-Let people use password managers. This is how we deal with all the passwords we need.
These password rules were failed attempts to fix the user. Better we fix the security systems.
Does this mean we can stop composing our passwords like Q*bert?
(Score: 0) by Anonymous Coward on Wednesday October 11 2017, @12:35PM
If it's anything like the German chip/tan system, it's orders of magnitude better than regular 2-factor authentication.
Regular 2-factor is only valid once or for one minute (depending on the version). Either way, a man in the middle attack (or "man in the browser", for those who think that anything not stopped by SSL cannot be called MITM) can just replace the amount and account number. The chip/tan code on the other hand is basically a digital signature of the transaction id, target account and amount, which are also shown on the screen on the device itself (which has no connection to the computer).
When done correctly, that number you enter is only valid for the amount and target account shown on the device screen.