Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Saturday October 06 2018, @08:20AM   Printer-friendly
from the this-password-contains-patterns-known-to-the-State-of-California-to-cause-cracking-and-data-breaches dept.

Submitted via IRC for Bytram

Weak passwords to be banned in California

Default passwords such as "admin" and "password" will be illegal for electronics firms to use in California from 2020.

The state has passed a law that sets higher security standards for net-connected devices made or sold in the region.

It demands that each gadget be given a unique password when it is made.

Before now, easy-to-guess passwords have helped some cyber-attacks spread more quickly and cause more harm.

The Information Privacy: Connected Devices bill demands that electronics manufacturers equip their products with "reasonable" security features.

This can mean a unique password or a start-up procedure that forces users to generate their own code when using the gadget for the first time.

The bill also allows customers who suffer harm when a company ignores the law to sue for damages.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by pipedwho on Saturday October 06 2018, @08:29PM

    by pipedwho (2032) on Saturday October 06 2018, @08:29PM (#745151)

    The problem with requiring ultra complicated hard to remember passwords is that they invariably end up saved in a password manager or written down.

    These highly entropic undecipherable passwords would ideally have little to no ambiguity when written down and read back (ie. Oo0, Il, Ss5, jJ, 71l, 9g, etc.). The concept of the 4 words as per XKCD fame is a good one for users writing things down. The super complicated self/autogenerated ones are fine if the user has a decent password manager. To avoid users entering insecure passwords only requires decent minimum entropy and a few simple entropy checks for excessive repetition and/or monotonic increment 'eg password-password-password, 1234567891011121314151617181920, or password1-password2-password3, etc'. The entropy calculation should not include any substrings with the username/ID or the site/company name. A user might have a longer password with mostly low entropy characters (eg. english words), or have a short password with lots of entropy in the characters (eg. random base64 strings). It also helps if there is a description of a how to make a secure password with a selection of seemingly random but relatively easy to remember words. You could even run the password against a dictionary attack with some common dictionaries to avoid obviously broken passwords.

    I'm not that concerned with the general case of users either writing down passwords or relying on password managers. Yes, both options have downsides, but they are heavily outweighed by the advantages.

    Written down passwords may be lost or stolen and the user is out of luck with potentially hundreds of passwords. However, attacking this list requires offline access, and if the list is kept relatively securely (ie. locked draw, wallet, briefcase, etc) then it isn't likely to fall victim to a walk-by 'post-it note on the monitor' exposure. Also, a user can keep multiple lists at varying degrees of security. eg. important passwords in the locked briefcase or wallet, and stupid website passwords in a locked drawer of their desk. Photocopies can be used for backups if the lists are at risk of loss.

    Assuming a password manager has decent backup/replication capability and is designed properly (ie. secure), then a user should only have one password to remember (or a few if they want multiple vaults) - a password that could be written down and kept securely elsewhere if the user thinks they'll forget it. Password managers generally have a consistent interface that is known to the user. And the master password request happens due to actions taken by the user out of band (and not in the browser window) of the remote password being either auto-entered or copy/pasted. So it is far less likely to be compromised than, for example, a spoofed misspelled domain asking for a corporate/banking/shopping/social media/email/etc password. Password managers are great because mis-typed domain names won't be auto-entered giving the user an extra level of protection. Good password managers can have multiple vaults if a user wants to avoid the 'one password to rule them all' allowing some additional passwords to be kept even more securely and segmented by site/security level/importance/age/etc. And can be accessed from a separate device to the one being used for password entry (eg. a smart-phone is used to bring up and manually type the admin password for a server attached to a KVM switch in the server room).

    For the particularly paranoid, you can use your password manager or written list to keep a secure base password for each site. And then further transform that password with some additional secret out-of-band data (either static or generated based on the site name/password/date of generation/etc). This adds a certain amount of protection against stolen lists or hacked password manager master passwords. Some people do this without a password manager against a master password, but that is dangerous as the password from one (or more) sites may lead to sufficient clues to attack the 'algorithm' and therefore effectively leak the entire password list.

    Yes there are downsides to password managers, but there is no way the vast majority of users are going to remember hundreds of secure passwords.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2