Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Tuesday October 10, @09:30PM   Printer-friendly
from the gud1dea dept.

Schneier on Security:

NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:

-Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.

-Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.

-Let people use password managers. This is how we deal with all the passwords we need.

These password rules were failed attempts to fix the user. Better we fix the security systems.

Does this mean we can stop composing our passwords like Q*bert?


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough

Mark All as Read

Mark All as Unread

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 1, Funny) by Anonymous Coward on Tuesday October 10, @09:47PM (8 children)

    by Anonymous Coward on Tuesday October 10, @09:47PM (#580087)

    Do these new rules mean I can change my password back to "hunter2"?

    • (Score: 3, Funny) by takyon on Tuesday October 10, @09:51PM (5 children)

      by takyon (881) <{takyon} {at} {soylentnews.org}> on Tuesday October 10, @09:51PM (#580095) Journal

      We're recommending the upgraded security of "hunter1". It works because the adversary assumes you would move on to "hunter3".

      --
      [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
      • (Score: 2) by bob_super on Tuesday October 10, @09:54PM (4 children)

        by bob_super (1357) on Tuesday October 10, @09:54PM (#580096)

        I'm totally going for 123456 or qwerty, because no attacker would believe I'm stupid enough to use those in 2017.

        • (Score: 2) by frojack on Tuesday October 10, @10:32PM (1 child)

          by frojack (1554) Subscriber Badge on Tuesday October 10, @10:32PM (#580122) Journal

          But every cracking algorithm still has those at the top of their list. Even though we all know you get exactly 3 tries.

          None of this cracking stuff is done by the geeky computer girl nerd as seen on EVERY stupid TV show. How come its always a girl? How come she gets it on the third try every time?

          --
          No, you are mistaken. I've always had this sig.
          • (Score: 3, Funny) by bob_super on Tuesday October 10, @10:55PM

            by bob_super (1357) on Tuesday October 10, @10:55PM (#580135)

            That's because she's the only one to check whether he's got a picture of his girlfriend or his kids on his desk.
            Real geeks don't have the feels it takes for social engineering, you know!

        • (Score: 0) by Anonymous Coward on Wednesday October 11, @12:15AM

          by Anonymous Coward on Wednesday October 11, @12:15AM (#580178)

          "username" and "password" seem like good security.

        • (Score: 0) by Anonymous Coward on Wednesday October 11, @02:27PM

          by Anonymous Coward on Wednesday October 11, @02:27PM (#580478)

          Upgrade to Dvorak adn fool them even furter by changing to ',.pfy

    • (Score: 2) by el_oscuro on Tuesday October 10, @11:40PM

      by el_oscuro (1711) Subscriber Badge on Tuesday October 10, @11:40PM (#580159)

      How did you get my SN password? It was all ***** on the screen when I typed it!

      --
      SoylentNews is Bacon! [nueskes.com]
    • (Score: 0) by Anonymous Coward on Tuesday October 10, @11:55PM

      by Anonymous Coward on Tuesday October 10, @11:55PM (#580165)

      Finally you can omit the "2".

  • (Score: 2) by bzipitidoo on Tuesday October 10, @09:57PM (20 children)

    by bzipitidoo (4388) on Tuesday October 10, @09:57PM (#580099) Journal

    What really annoys me are the "security questions" that are passwords in all but name. I've been locked out of accounts despite knowing the password, because I couldn't answer the security questions within 3 tries (did I capitalize the first letter of my answer? etc.), and they have this stupid 3 strikes policy. Facebook will allow only 3 guesses per hour. Others lock up permanently after 3 failed guesses, and you have to call customer service to get it unlocked.

    It's effectively 7 passwords to remember when a site demands no less than 6 security questions. Worse, with that many questions and a 3 strikes policy, you'd better make sure you have the answers paired up with the correct questions, so have to record the questions too.

    • (Score: 1, Troll) by bob_super on Tuesday October 10, @10:11PM (7 children)

      by bob_super (1357) on Tuesday October 10, @10:11PM (#580111)

      Oh Dear, Oh Dear, what will one do if they are locked out of facebook for a full hour?
      I'll call the UNHCR for you.

      • (Score: 0) by Anonymous Coward on Tuesday October 10, @10:23PM (3 children)

        by Anonymous Coward on Tuesday October 10, @10:23PM (#580117)

        Oh Dear, Oh Dear, what will one do if they are locked out of facebook for a full hour?

        There's this thing called life that relied on genuine human interaction, unfortunately facebook have yet to offer this service to their users (AKA: product).

        • (Score: 2) by takyon on Tuesday October 10, @10:49PM

          by takyon (881) <{takyon} {at} {soylentnews.org}> on Tuesday October 10, @10:49PM (#580132) Journal

          There's this thing called life that relied on genuine human interaction, unfortunately facebook have yet to offer this service to their users (AKA: product).

          It's coming [soylentnews.org]

          --
          [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
        • (Score: 0) by Anonymous Coward on Tuesday October 10, @11:57PM (1 child)

          by Anonymous Coward on Tuesday October 10, @11:57PM (#580167)

          Sometimes people use Facebook to arrange in-person meetings, do they not? In which case, an hour's delay in communicating could be a problem.

          • (Score: 3, Informative) by Anal Pumpernickel on Wednesday October 11, @08:45AM

            by Anal Pumpernickel (776) on Wednesday October 11, @08:45AM (#580347)

            Regardless of what reasons people have for allowing themselves to be used by the monstrous surveillance engine known as Facebook, they are fools for doing so.

      • (Score: 2) by richtopia on Tuesday October 10, @11:15PM (2 children)

        by richtopia (3160) on Tuesday October 10, @11:15PM (#580147) Homepage Journal

        I know my Facebook account password. However I haven't logged in for 7 years, so when I attempted to again I was prompted with a series of security questions asking me to identify people in photos. I don't know how my high school colleagues look!

        Moral of the story, moving onto 8 years of no Facebook. And my family who only uses Facebook messenger to make social plans never communicates with me.

        • (Score: 0) by Anonymous Coward on Wednesday October 11, @12:10AM (1 child)

          by Anonymous Coward on Wednesday October 11, @12:10AM (#580176)

          https://www.prod.facebook.com/help/159096464162185 [facebook.com]

          What types of ID does Facebook accept?

          If you need to confirm your name on Facebook, or if you've lost access to your account, you may be asked to send us a copy of something with your name on it. You have several different options for this, including photo IDs that are issued by the government, IDs from non-government organizations, official certificates or licenses that include your name or other physical items like a magazine subscription or a piece of mail.

          Any time you send us something that confirms your name or identity, please cover up any personal information we don't need to see (ex: credit card number, Social Security number). Also keep in mind that we encrypt everyone's connection to Facebook by default and delete anything that you've sent to us after we've confirmed your name or identity.

          • (Score: 2) by Aiwendil on Wednesday October 11, @01:15PM

            by Aiwendil (531) on Wednesday October 11, @01:15PM (#580439) Journal

            If you need to confirm your name on Facebook, or if you've lost access to your account, you may be asked to send us a copy of something with your name on it.

            And that really annoys me, I havn't signed up with my real name for anything in more than a decade (only about 60% of my friends know my real name, almost all knows this username however). Also how does it deal with name changes?

            Why on earth would I sign up on a social networking site with a name very few people call me? (Not even my coworkers call me by my name, they instead uses one of the three irl-nicknames I have. I know some of them don't know my name) And it can be years between the times when I hear someone call me by my real name.

    • (Score: 2) by frojack on Tuesday October 10, @10:26PM (2 children)

      by frojack (1554) Subscriber Badge on Tuesday October 10, @10:26PM (#580119) Journal

      I've got one bank account I manage that wants to ask you a security question for EACH function, and have you remember them.

      That's bad enough for a personal account, but its a business account.

      So as account handlers (employees) get swapped out over time, when ever one of these functions is needed, (adding a new Payee for example) they have to call up the old account handler, as him what his best childhood friend's first name was, write that down. Then the repeat the process the next time they want to change a mailing address or phone number.

      And god help you if you log in from a different IP. Now you need two passwords or security questions.

      Jeeze, just give me a Yubikey [yubico.com] and be done with it. At least I could put that in the safe. Now what was that safe combo?

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 3, Interesting) by NewNic on Tuesday October 10, @11:54PM (1 child)

        by NewNic (6420) on Tuesday October 10, @11:54PM (#580163)

        At least one bank in the UK has a 2FA using your debit card. They issue you a card reader, and ehen you want to do a transaction like sending money, you slip the card into the reader, enter your card's PIN, then enter a number provided by the website. Finally, you type the number that the card reader returned back into the website.

        It does require cards with chips, which have been in use in Europe for a lot longer than in the USA.

        There is another factor with the way things work in the UK: it's actually simple and efficient to send money electronically directly from one bank account to another, both within the UK and internationally. I don't believe British people can imagine how difficult that task is in the USA.

        • (Score: 0) by Anonymous Coward on Wednesday October 11, @12:35PM

          by Anonymous Coward on Wednesday October 11, @12:35PM (#580426)

          If it's anything like the German chip/tan system, it's orders of magnitude better than regular 2-factor authentication.

          Regular 2-factor is only valid once or for one minute (depending on the version). Either way, a man in the middle attack (or "man in the browser", for those who think that anything not stopped by SSL cannot be called MITM) can just replace the amount and account number. The chip/tan code on the other hand is basically a digital signature of the transaction id, target account and amount, which are also shown on the screen on the device itself (which has no connection to the computer).

          When done correctly, that number you enter is only valid for the amount and target account shown on the device screen.

    • (Score: 2) by RS3 on Wednesday October 11, @03:23AM (5 children)

      by RS3 (6367) on Wednesday October 11, @03:23AM (#580263)

      I had fun recently with AOL, due to Verizon buying AOL and moving verizon.net email accounts to AOL. AOL insist on several security questions (3-5 I think).

      I tried to tell them, and others, that I can remember a really good password, but multi-factor, etc., and I have to write it down, copy it to several places, keep in files on all computers, etc. Not so secure now, huh?

      And they will NOT help you on the phone unless you know the answers!

      • (Score: 0) by Anonymous Coward on Wednesday October 11, @02:21PM (4 children)

        by Anonymous Coward on Wednesday October 11, @02:21PM (#580474)

        AOL???

        • (Score: 2) by RS3 on Wednesday October 11, @06:43PM (3 children)

          by RS3 (6367) on Wednesday October 11, @06:43PM (#580680)

          AOL???

          Not to be pedantic, but that's not a complete question; I don't understand what you're asking.

          • (Score: 2) by Yog-Yogguth on Sunday October 15, @10:36AM (2 children)

            by Yog-Yogguth (1862) Subscriber Badge on Sunday October 15, @10:36AM (#582591) Homepage Journal

            Good point! Considering it is now 2017 it's hard to tell if he/she/it/bot is trying to be elitist (because of AOL history) or funny (because of AOL history) or impressed (not because of AOL history!!!).

            Flames/burns/insults that are so old they have become flattering lol :)

            I welcome our dinosaurs making dinosaur jokes about dinosaurs :D

            --
            Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
            • (Score: 2) by RS3 on Monday October 16, @04:29AM (1 child)

              by RS3 (6367) on Monday October 16, @04:29AM (#582905)

              Yeah, or maybe the he/she/it/bot doesn't even know who/what AOL is.

              Can bots google? Or does google use a bot filter?

              • (Score: 2) by Yog-Yogguth on Monday October 16, @09:33PM

                by Yog-Yogguth (1862) Subscriber Badge on Monday October 16, @09:33PM (#583175) Homepage Journal

                Yes (but strictly yesnomaybe although mostly very yes) bots can Google, and yesnomaybe there is a bot filter of sorts both for Google and everyone else and also for anyone using Google but not really. Easy clear answers right? :D

                Google's own bots (often called indexing spiders, or at least once upon a time they were called that) are (or were) meant to respect any HTTP robots.txt file [wikipedia.org] details. Any other non-Google bot (or script for that matter) is able to use Google just like any other website or for that matter ignore (or respect) any robots.txt file they find if they act like indexing spiders themselves. Google does not have a bot filter as such but probably at very high volumes of traffic/questions/searches restricts the amount of use from any one IP address or IP subnet addresses which I guess one could call a bot filter of sorts although it's more about use and capacity i.e. flooding control and it has plenty of yesnomaybe answers of its own :)

                --
                Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
    • (Score: 0) by Anonymous Coward on Wednesday October 11, @03:05PM

      by Anonymous Coward on Wednesday October 11, @03:05PM (#580499)

      I dont have issues with the security questions. Make a standard for yourself. Do you capitalize the answers? if so do it all the time. Do you fully spell it out or use common abbreviations? If so do it all the time. Do you enter spaces or all one word? Do it all the time.

    • (Score: 0) by Anonymous Coward on Wednesday October 11, @05:21PM

      by Anonymous Coward on Wednesday October 11, @05:21PM (#580590)

      you're not supposed to be trying to remember all that shit. copy/paste it, ffs

    • (Score: 2) by ilsa on Wednesday October 11, @05:27PM

      by ilsa (6082) on Wednesday October 11, @05:27PM (#580598)

      I come up with random answers and store them in my password database along with the password.

  • (Score: 4, Informative) by frojack on Tuesday October 10, @10:14PM (19 children)

    by frojack (1554) Subscriber Badge on Tuesday October 10, @10:14PM (#580113) Journal

    This was news back in June when it came out, and in August [soylentnews.org] when it was first covered in SoylentNews. (in other words: Dup!)

    Schneier is one of the few that has been stating this long before the NIST decided to get on the bandwagon.
    The rest of the security parrots have been touting crapword and punctuation and expiration for literally decades.

    (Schneier's personal recommendation [schneier.com] isn't all that practical itself if you ask me. It tends to require you to re-use passwords simply because there aren't that many long phrases that immediately come to mind such that you can have one for each login).

    His general recommendation is:

    There's more to passwords than simply choosing a good one:

    1. Never reuse a password you care about. Even if you choose a secure password, the site it's for could leak it because of its own incompetence. You don't want someone who gets your password for one application or site to be able to use it for another.
    2. Don't bother updating your password regularly. Sites that require 90-day -- or whatever -- password upgrades do more harm than good. Unless you think your password might be compromised, don't change it.
    3. Beware the "secret question." You don't want a backup system for when you forget your password to be easier to break than your password. Really, it's smart to use a password manager. Or to write your passwords down on a piece of paper and secure that piece of paper.
    4. One more piece of advice: if a site offers two-factor authentication, seriously consider using it. It's almost certainly a security improvement.
    --
    No, you are mistaken. I've always had this sig.
    • (Score: 2, Informative) by davidjohnpaul on Tuesday October 10, @10:22PM (7 children)

      by davidjohnpaul (5377) on Tuesday October 10, @10:22PM (#580116) Homepage

      Schneier also suggests using a password manager. If you use the long phrase to protect it, with it auto-generating all your other passwords for you, then the lack of long phrases that immediately come to mind is less of a problem.

      • (Score: 3, Informative) by frojack on Tuesday October 10, @10:38PM (6 children)

        by frojack (1554) Subscriber Badge on Tuesday October 10, @10:38PM (#580127) Journal

        Yes, his point number 3 above.

        But if you use a long passphrase, then you need to type that long passphrase 100 times a day. That gets old.

        I use a shore-ish password to get into my password manager. It locks after three failed tries anyway.

        I have that password tattooed on the bottom of my left foot. I have "other foot" tattooed on the bottom of my right foot.

        --
        No, you are mistaken. I've always had this sig.
        • (Score: 5, Funny) by bzipitidoo on Wednesday October 11, @12:44AM (1 child)

          by bzipitidoo (4388) on Wednesday October 11, @12:44AM (#580188) Journal

          You could be in trouble if you ever need one foot amputated. If it's the left foot, you lose your master password. If it's the right, the surgeons might mistake that tattoo as a message for them and amputate your left and you still lose your password.

          • (Score: 1) by DECbot on Thursday October 12, @12:41AM

            by DECbot (832) on Thursday October 12, @12:41AM (#580878) Journal

            No, he'll be okay because he has "other foot" tattooed on the bottom of his feet.

            --
            cats~$ sudo chown -R us /home/base
        • (Score: 1, Informative) by Anonymous Coward on Wednesday October 11, @12:56AM (1 child)

          by Anonymous Coward on Wednesday October 11, @12:56AM (#580192)

          I use a shor[t]-ish password to get into my password manager. It locks after three failed tries anyway.

          What's your threat model? You walk away from the computer then an attacker walks up and tries to open the password manager? Couldn't that attacker make a copy of the password manager's database, then try guessing the master password at his leisure, resetting the counter when he guesses wrong?

          • (Score: 0) by Anonymous Coward on Wednesday October 11, @12:40PM

            by Anonymous Coward on Wednesday October 11, @12:40PM (#580429)

            resetting the counter when he guesses wrong?

            Password-guessing software doesn't bother to update the counter in the first place.

        • (Score: 2) by maxwell demon on Wednesday October 11, @09:00AM

          by maxwell demon (1608) Subscriber Badge on Wednesday October 11, @09:00AM (#580352) Journal

          I see, your password is "this foot".

          --
          The Tao of math: The numbers you can count are not the real numbers.
        • (Score: 2) by lgw on Wednesday October 11, @06:25PM

          by lgw (2836) on Wednesday October 11, @06:25PM (#580660)

          You don't fool me. "Other foot" is your actual password!

    • (Score: 3, Interesting) by richtopia on Tuesday October 10, @11:19PM (8 children)

      by richtopia (3160) on Tuesday October 10, @11:19PM (#580149) Homepage Journal

      How do you beware the secret question? It is mandatory for most applications to provide security questions, so I cannot opt-out of them. Is the recommendation to treat secret answers as passwords: unique ones per site? Even with a password manager that feels tedious.

      • (Score: 0) by Anonymous Coward on Wednesday October 11, @12:25AM

        by Anonymous Coward on Wednesday October 11, @12:25AM (#580180)

        That's my own practice. I am wary of giving true answers, because the true answers to some of those questions could be discovered by an attacker and because there's a tendency for various sites to use the same security questions. If one gives true answers, and one site is compromised, then the attacker has the answers for all sites that used the same question(s).

      • (Score: 2) by vux984 on Wednesday October 11, @01:00AM (6 children)

        by vux984 (5045) on Wednesday October 11, @01:00AM (#580195)

        How do you beware the secret question? It is mandatory for most applications to provide security questions, so I cannot opt-out of them. Is the recommendation to treat secret answers as passwords: unique ones per site?

        I just generate passwords for them; and save them in my password manager.

        What is your mother's maiden name?

        asdfakjfkjf32lkjf2439ergavakghg2h

        Who was your best friend when you were 12?

        zvnmmn224guagvbaf2thahgasdf3eg

        etc...

        Even with a password manager that feels tedious.

        If you use a password manager, your never going to need these recovery questions anyway. And if you lose your password manager, you lost these answers... so either way its moot. I opt out if I can, or stuff them with garbage. A few sites will ask you a security question on top of your password the first time you login from an new browser etc so for those its an extra step, but for the most part the most tedious thing about password recovery questions is that they exist at all.

        Step 1: choose a difficult password with 10 characters, 3 numbers, 2 special characters, 3 capitals, that also doesn't appear on some list we use etc etc etc...

        Step 2: to recover your password, choose 3 single english word answers to questions that half the people that know you could answer, and the rest could answer by stalking you on facebook... or if you were clever enough to not to have a facebook account, they can still probably get the answers to most of them by facebook stalking your sister instead. (mothers maiden name, city you grew up in, your favorite uncles first name, your first pet... etc, etc...). Oh... and I think my favorite was when the office decided to a know your fellow employee treasure hunt one year and had as all fill out a series of questions -- "favorite sport, city you grew up in, how many siblings etc..." the idea was that we'd then go around and try and find the employee whose favorite sport was curling, and who had 6 sisters, and who had been born in Tenessee... etc etc but it was basically a list of all the sorts of questions these password recovery sites use.

        Step 2a: At least one of these questions will stump you 5 years from now even if you answered completely honestly. Seriously..."What is your favorite food" ... I have no idea what i'd put as my favorite food today.... let alone what I came up with 5 years ago when some site forced me to fill it out.

        So yeah, I use generated gibberish now, and its never been an issue... so far.

        • (Score: 2, Interesting) by Anonymous Coward on Wednesday October 11, @04:11AM (2 children)

          by Anonymous Coward on Wednesday October 11, @04:11AM (#580284)

          One alternative I've used in the past was normalizing and the hashing the question and a salt and using what that spits out as the answer. Easy to duplicate and nothing to remember.

        • (Score: 0) by Anonymous Coward on Wednesday October 11, @12:48PM

          by Anonymous Coward on Wednesday October 11, @12:48PM (#580433)

          If you use a password manager, your never going to need these recovery questions anyway.

          That's what I used to think. Until I needed to change my e-mail address for Battle.NET. Nope, password is not enough, has to answer the security question. And apparently I don't know exactly how I spelled the answer.

          Now I generate a second password for those stupid security questions and put it in the "comment" field in my password manager. Wouldn't want it to be the same as my password as there is a higher likelihood that a support person will get the answer shown on their screen, as those "security" questions are generally thought to need to be less secure than the password they are often used to reset.

        • (Score: 2) by Osamabobama on Wednesday October 11, @08:15PM (1 child)

          by Osamabobama (5842) on Wednesday October 11, @08:15PM (#580768)

          What is your mother's maiden name?

          asdfakjfkjf32lkjf2439ergavakghg2h

          Those non-Latin alphabets never display quite right for me. It that a central Asian name?

          --
          Appended to the end of comments you post. Max: 120 chars.
          • (Score: 2) by Yog-Yogguth on Sunday October 15, @11:14AM

            by Yog-Yogguth (1862) Subscriber Badge on Sunday October 15, @11:14AM (#582601) Homepage Journal

            Indeed it is! If you squint you'll notice it's the ASCII-art version of UTF-8 Telugu (scroll down and look at the sample text here [omniglot.com] and how they compressed the alphabet into Unicode here [wikipedia.org]). Telugu is the world's 15th most spoken language with at least 75 million speakers (wiki link [wikipedia.org]).

            Her name is "Daisy" :P

            I can't speak Telugu, it's all Dravidian to me (another link [wikipedia.org]). (I don't speak Greek either).

            --
            Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
    • (Score: 2) by NewNic on Tuesday October 10, @11:56PM (1 child)

      by NewNic (6420) on Tuesday October 10, @11:56PM (#580166)

      I would add one more:
      5. Make sure that the password to each of email accounts is never re-used anywhere else.

  • (Score: 3, Informative) by Ethanol-fueled on Tuesday October 10, @11:14PM (3 children)

    by Ethanol-fueled (2792) Subscriber Badge on Tuesday October 10, @11:14PM (#580145) Homepage Journal

    Password expiration has always been pants-on-head retarded. The kind of dickheads who let others use their passwords are the same dickheads who are going to continue to let others use their passwords after they change it. Almost everybody else has a generic password and just increments a letter or digit or word or generally puts in the least effort necessary to comply with the local requirements.

    • (Score: 3, Informative) by Anonymous Coward on Tuesday October 10, @11:25PM

      by Anonymous Coward on Tuesday October 10, @11:25PM (#580153)

      It dates back to old systems where you have read-access to the hashed password database.

      It has nothing to do with password sharing.

    • (Score: 1, Interesting) by Anonymous Coward on Tuesday October 10, @11:35PM

      by Anonymous Coward on Tuesday October 10, @11:35PM (#580157)

      Almost everybody else has a generic password and just increments a letter or digit or word or generally puts in the least effort necessary to comply with the local requirements.

      Which is why new discourse.org forums default on a policy that randomizes a strong password and force you to use it without letting you make your own.

      Going off topic, I hate discourse.org with a passion. Their shitty javascript is dog slow while at the same time every other tech support site uses them.

    • (Score: 4, Informative) by stretch611 on Tuesday October 10, @11:53PM

      by stretch611 (6199) on Tuesday October 10, @11:53PM (#580162)

      I remember back when I was using a system with 8 letter max passwords with forced changing every 30 days, 1 upper, 1 lower and 1 number all required. It was a mess. To get around it, I would use the 3 letter abbreviation for the month followed by the 4 digit year... Mar2005 Apr2005 May2005. (8 digit max, I think the min was 5 or 6)

      This is the exact reason why forced password changing is a bad idea.

      for the record... I use KeePassX [keepassx.org] now. It is protected with both a private key file and long passphrase.

  • (Score: 2) by Snotnose on Wednesday October 11, @12:07AM (3 children)

    by Snotnose (1623) on Wednesday October 11, @12:07AM (#580172)

    Think of a phrase. XKCD sez it needs to make sense. Me? Rocket Engines Burning Fuel So Fast, by Black Sabbath. Password? R3bfsfBS. Not an actual password I've ever used, but an idea how I come up with passwords. XKCD is pretty much on the mark when it comes to passwords.

    • (Score: 2) by t-3 on Wednesday October 11, @01:54AM

      by t-3 (4907) on Wednesday October 11, @01:54AM (#580222) Journal

      I often look at my bookshelf, pick a memorable title, and use that. Otherwise, a phrase with another coded phrase embedded (morse, number substitution, etc.). Of course, for stuff I don't care about, I just use one of the passwords I've used since I was a kid.

    • (Score: 0) by Anonymous Coward on Wednesday October 11, @12:51PM (1 child)

      by Anonymous Coward on Wednesday October 11, @12:51PM (#580434)

      XKCD recommends *against* cryptic passwords like "R3bfsfBS". In fact it recommends against passwords in general.

      • (Score: 2) by Yog-Yogguth on Sunday October 15, @11:22AM

        by Yog-Yogguth (1862) Subscriber Badge on Sunday October 15, @11:22AM (#582605) Homepage Journal

        But most places do not allow you to use long pass-phrases that would be easy to remember so you have to adapt as best you can.

        Or "BMpdNAytULp-pTWbeTRsyHTaaBYc." and stay out of my lunch box everybody! :)

        --
        Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
  • (Score: 4, Touché) by Appalbarry on Wednesday October 11, @12:56AM (4 children)

    by Appalbarry (66) on Wednesday October 11, @12:56AM (#580191) Journal

    My approach to passwords begins with the question: just how critical is this site or app, and is figuring out a super-secure password really worth my time? Most forums and the like get short simple passwords because I can't see any significant damage happening if they get accessed by someone else. For those sites that I only visit once or twice a year I don't even try - I just use "Forgot Password."

    Mostly I trust Chrome to keep track of my passwords. I use it on three different devices so it works fine for me. If I'm using someone else's computer I'll fall back to "Forgot Password."

    There are handful of sites that I feel actually merit a serious password, and that tends to be of the Hammer56Grout$ variety - complex enough to make the little checkmarks turn green, but memorable enough to stick in my brain. Yeah, I'll reuse that for those few sites, but I also change it out every couple of months, or when one of the sites involved has been compromised.

    The question I have about password managers is what happens if you're using a computer (phone, tablet...) that doesn't have one installed? Or, alternatively, what happens if your device is stolen and the thief can now access all of your accounts?

    (If the answer is that you need to type in the password manager password every time you need to log in, I really can't be bothered.)

    Honestly, I waver between "There's got to be a better way short of biometrics" and "on-line security is a lost cause, so why bother."

    • (Score: 2) by vux984 on Wednesday October 11, @01:19AM

      by vux984 (5045) on Wednesday October 11, @01:19AM (#580200)

      The question I have about password managers is what happens if you're using a computer (phone, tablet...) that doesn't have one installed?

      The answer to that is simple... don't. Or at least have your phone with you that has a sync'd copy of the key file.

      Or, alternatively, what happens if your device is stolen and the thief can now access all of your accounts?

      How paranoid are you? I use "password safe" myself (on windows/linux). It automatically locks and needs the password to unlock the password file after the computer locks (either on time out or Win+L). It also can be set to automatically lock when you minimize it (i don't use this), and/or after a certain number of minutes (I do have this on but longer than the default of 5). I also sync the file between a few different computers; so *I* don't get locked out of all my accounts if one of my devices dies or goes missing.

      So if my laptop were stolen, I wouldn't be too worried about it. They'd need to snatch it while it was unlocked while the password manager was unlocked. This certainly happens, but I'm usually using it. If you lock it before you leave it, it locks, and both your PC and your device need to be unlocked at the time for it to be any good to them. By the time they brute forced the password safe unlock, I'd have changed all my passwords.

      On average I need to unlock the password safe a few times per day. It's not that much of a chore. And I actually have 2nd password safe for really high value passwords (banking, domain registrar, etc... and that one gets opened a lot less; so the odds of losing my banking password by my laptop being swiped out of my hands within a couple minutes of looking up my soylentnews password is basically zero. (oh who am i kidding, my SN password is in the tier where, yeah, its in the safe, but i let my browser remember it so i don't need to open the safe for it. :)

    • (Score: 3, Interesting) by stormwyrm on Wednesday October 11, @01:26AM (2 children)

      by stormwyrm (717) Subscriber Badge on Wednesday October 11, @01:26AM (#580205) Journal

      The question I have about password managers is what happens if you're using a computer (phone, tablet...) that doesn't have one installed? Or, alternatively, what happens if your device is stolen and the thief can now access all of your accounts?

      For the latter question, you need to have one very good password that you have memorized to protect your password manager. All proper password managers have the password database strongly encrypted, so a thief who steals a device with my password database on it (this has happened to me once in the past actually) will not be able to access any of my accounts unless they can also break the encryption. (By the way, after that incident I did change all the passwords for good measure.) The former question I think has an obvious answer. I use a password manager myself (KeepassX, which has versions for Linux, Windows, and Android), and the most difficult thing I haven't yet been able to hack a good solution for is how to securely distribute an up-to-date version of the password database to all of my devices and machines after I change a password. I sure as hell am not going to be putting the database on Google Drive or any other cloud, unless the "cloud" is on hardware I have physical access to and uses software I at least have some measure of control over.

      --
      The right to believe whatever you want does not mean that whatever you want to believe is right.
      • (Score: 0) by Anonymous Coward on Wednesday October 11, @10:36AM (1 child)

        by Anonymous Coward on Wednesday October 11, @10:36AM (#580376)

        I think you want owncloud
        https://en.wikipedia.org/wiki/OwnCloud [wikipedia.org]

        • (Score: 0) by Anonymous Coward on Wednesday October 11, @05:26PM

          by Anonymous Coward on Wednesday October 11, @05:26PM (#580597)

          you mean Nextcloud [nextcloud.com]

  • (Score: 2) by arslan on Wednesday October 11, @05:40AM (2 children)

    by arslan (3462) on Wednesday October 11, @05:40AM (#580304)

    Can't seem to find mention of the password suggestion in the summary.. not in the main document linked nor one of the supplementary document... didn't read all the related docs though.

    Can anyone (submitter?) maybe post which document actually had those points or is it just an opinion piece by submitter?

    • (Score: 2) by Phoenix666 on Wednesday October 11, @01:24PM (1 child)

      by Phoenix666 (552) Subscriber Badge on Wednesday October 11, @01:24PM (#580443) Journal

      That's the whole article from Schneier on Security (linked at the top of the submission). It was short but the links in it are all there in the submission. The NIST PDF is linked, too.

      --
      Washington DC delenda est.
      • (Score: 2) by arslan on Wednesday October 11, @09:48PM

        by arslan (3462) on Wednesday October 11, @09:48PM (#580810)

        Yes I saw, that but I can't find any material in the NIST PDF linked about the suggestions on password. Is it just me or does it read like those 3 suggestion on password was from the NIST document? I trawled through the NIST document and another linked supplementary document but couldn't seem to find it.

        I'm not debating whether the suggestion are good or bad, but just trying to verify if it was indeed the NIST that published those suggestion or Schneier's own addition. This sentence make it seem like it was from NIST but I don't see it anywhere:

        Among other things, it makes three important suggestions when it comes to passwords

  • (Score: 3, Interesting) by RedBear on Wednesday October 11, @08:15AM (4 children)

    by RedBear (1734) Subscriber Badge on Wednesday October 11, @08:15AM (#580340)

    I gave up a couple years ago and decided to go with a password manager. I chose a commercial one that provides good syncing between different types of devices, and integrates with all major web browsers. Enabled 2FA on the password manager to drastically decrease the likelihood someone can ever gain access to my password database. It even supports those USB hardware encryption keys if you want to go that far. Enabled 2FA on every other service I use that supports it, which includes many banks as well as things like Google and iCloud. Have backup email addresses, also protected by 2FA, to recover access if I somehow lose access to the main email account.

    Finally realized recently that if you give meaningful (i.e. "rememberable") answers to those stupid security questions they will probably be guessable by anyone who is trying to steal your identity. The attacker will already have a ton of personal info about you. So I use the password generator in the password manager app to generate short random character passwords for the security questions. Usually there are a pair of security questions, so the odds of anyone being able to get through that are basically zero. I just have to remember to store the questions and answers in the notes for that account in the password manager.

    I'm tired of self-described security geeks mocking password managers as being the ultimate in stupidity. After patiently working my way through all my accounts over two years I now have whittled my way down to 100 different active accounts and each uses a unique, random, and (if the site/service supports it) extremely long password. There's a lovely security dashboard in the password manager that tells you exactly how many passwords you're reusing, how many are insecure in some way (too short or too simple), and how many are really old and should probably be changed. I no longer know 99% of my own passwords. I log in using the integrated browser plugins, which only works if I've logged into the main password manager app, which is only installed on my own computers and devices, which are all encrypted and secured to the best of my ability. If I wanted to I could enable 2FA not just per device but for every time I attempt to login to the password manager. And I could have a session timeout, so I wouldn't just be logging in whenever I restart the machine. If it seems necessary I'll take those steps.

    It's time to acknowledge that online services are getting hacked and exposing billions of accounts so frequently that you have to be a nutcase to reuse any password even twice anywhere on the web. Unless you're autistic and can remember 100 different random passwords, you have no rational choice but to use some kind of password manager at this point. But I'm sure someone will have the gall to try and tell me I'm somehow less safe now than I was when I only had a half-dozen different simple passwords, reused on dozens of different websites over a 25-year period. Maybe I'm not perfectly safe, but I've made myself the kind of target that would take more effort than 99.999% of the other targets online. 100 different online services is a huge attack surface when so many sites are being compromised every day. I'm sure many people use even more online services than I do. If any one of my accounts is ever compromised it should lead to exactly zero compromises on other sites. That isn't true for an awful lot of people online. Identity thieves have no good reason to target me as long as there are still billions of people who reuse simple passwords on every site they visit.

    Nothing is perfect, including password managers. But password managers allow regular people a way to escape being the low hanging fruit of the Internet by drastically reducing their attack profile.

    --
    ¯\_ʕ◔.◔ʔ_/¯ LOL. I dunno. I'm just a bear.
    ... Peace out. Got bear stuff to do. 彡ʕ⌐■.■ʔ
    • (Score: 3, Informative) by pTamok on Wednesday October 11, @09:16AM (2 children)

      by pTamok (3042) on Wednesday October 11, @09:16AM (#580358)

      You describe the benefits of using a password manager very well.

      What I would say, if I put on my paranoid security geek hat on, is that they are a simply MASSIVE target for malware, and the malware only needs to get lucky once.

      You are probably aware of a number of compromises of (Windows, but also other e.g. Android) systems that are around, that give the attacker full ring '0' access (or even ring '-1') to systems* - this means that an attacker will be able to (a) exfiltrate a copy of your password database and (b) also be able to access all of memory to grab the key to the database, which can be exfiltrated as well. The recent issue of Kaspersky Anti-Virus taking a copy of NSA software form a contractor's PC demonstrates the process. So by using an online password manager, especially one that shares across multiple platforms, means you have a huge vulnerability profile: a compromise of your phone could give access to all your passwords.

      This is a strong argument against using online password managers. They are incredibly convenient, and demonstrate that if you want people to do password security properly, it must be easy to use - but they are very much an 'all your eggs in one basket' affair, and multiplatform ones are only as secure as their most vulnerable platform.

      I won't go so far as to say that you shouldn't use a password manager. People's (and companies' ) attitude towards security risks varies, so there is no 'one size fits all' solution, but please be aware of the vulnerabilities of the platforms you use, and evaluate the risk of your password manager being compromised, and what effect such a compromise might have on you.

      I would recommend using an offline, air-gapped password manager. Such a thing is not easy to find. Having unique, strong passwords for every service you use is a good idea. Really.

      *Look at the capabilities of the Intel Management Engine, and the AMD equivalent. Even if the 'Black hats' can't current leverage those capabilities, I would be unsurprised to learn that Intelligence Agencies can. For most people, that is not an issue, as they are not 'persons of interest' to the intelligence agencies, and are happy to share all their personal information with them - if they were not happy to trust the intelligence agencies and government control of said agencies in their country's best interests, then there would be a great deal more protest. The 'average Joe/Josephine' regards national security agencies as essentially benign for ordinary folk. Quite possibly correctly.

      • (Score: 4, Interesting) by RedBear on Wednesday October 11, @12:09PM (1 child)

        by RedBear (1734) Subscriber Badge on Wednesday October 11, @12:09PM (#580411)

        We are not in disagreement. Offline air-gapped password store (that never touches a USB device either) is a great idea if you're dealing with anything more important than some personal accounts. But nobody will ever go to those lengths for personal things, just like nobody has ever bothered to change their passwords regularly, use random passwords, use long passwords, or use different passwords for different services. What the password manager does for us is it reduces the attack profile from a completely unmanageable [my computer] + [200 very badly run web services] to just [my computer]. From totally out of our individual control to kinda, sorta in our control.

        If you get malware on your machine that is capable of stealing passwords from your password manager, similar malware could also just scan files or any other open applications that might be storing your passwords. Such things have existed for decades. That's just the reality of imperfect computing security in an imperfect networked world. Best we can do is use password managers that don't do dumb things like transmitting unencrypted data across the internet or storing your passwords locally in the clear.

        If you're running a nuclear facility, a password manager is probably not a great idea. Then again, the reality is that people who run such facilities often make such terrible security choices that a password manager could actually be an improvement. How's that for a scary thought?

        --
        ¯\_ʕ◔.◔ʔ_/¯ LOL. I dunno. I'm just a bear.
        ... Peace out. Got bear stuff to do. 彡ʕ⌐■.■ʔ
        • (Score: 1) by pTamok on Wednesday October 11, @01:49PM

          by pTamok (3042) on Wednesday October 11, @01:49PM (#580459)

          Modded you up. I agree entirely that laziness trumps security, and you once again point out the real benefits of password managers.

          And I agree re: nuclear facilities, and in fact many process-control and SCADA applications. Security is just not baked in. If somebody messes with process control in an oil refinery, or a chemical plant, or a dam, really nasty things could happen.

    • (Score: 0) by Anonymous Coward on Wednesday October 11, @12:00PM

      by Anonymous Coward on Wednesday October 11, @12:00PM (#580405)

      I highly recommend password managers, but not commercial ones. Use one of the well vetted open source ones. With a commercial manager, nobody but the company has any idea whether or not the crypto used to store the passwords is crap or not, until it is too late. With open source password managers, a few greps will tell me which crypto library is used, which algorithm, and what mode/mac is used. A quick peek at the relevant files will indicate whether or not the password and key data is protected from being swapped out to swap space or the page file and whether any kind of stretching on the master password is used. It really doesn't take long, and you really don't even need to do all this because it has already been done. The open source password managers that are commonly recommended have already been vetted.

      You don't even need to use a password manager if you are using full disk encryption and don't leave your machines running unattended; assuming you can prevent shoulder surfing. In this case, a text file will do. If you get some kind of malware or don't secure your OS, all bets are off.

  • (Score: 0) by Anonymous Coward on Wednesday October 11, @10:24AM

    by Anonymous Coward on Wednesday October 11, @10:24AM (#580372)

    I generate random passwords with a little CLI app I wrote, and then memorize them. It is easier than it sounds. I have to keep them temporarily written down for some time (couple of days, a week) until they sink in, but after a little while, my memory is refreshed daily by recalling the passwords. Generally I reuse my passwords for all resources and services of same organization, but keep separate passwords for separate organizations. I also have a single default burner password for online resources that IMO shouldn't need access control at all but they are forcing registration upon me.

    Obviously, the problem with my scheme is that I forget passwords which I don't use frequently. Sometimes I have a problem to recall them after e.g. a vacation.

(1)