Stories
Slash Boxes
Comments

SoylentNews is people

posted by hubie on Friday September 27, @02:11AM   Printer-friendly

https://arstechnica.com/security/2024/09/nist-proposes-barring-some-of-the-most-nonsensical-password-rules/

The National Institute of Standards and Technology (NIST), the federal body that sets technology standards for governmental agencies, standards organizations, and private companies, has proposed barring some of the most vexing and nonsensical password requirements. Chief among them: mandatory resets, required or restricted use of certain characters, and the use of security questions.

Choosing strong passwords and storing them safely is one of the most challenging parts of a good cybersecurity regimen. More challenging still is complying with password rules imposed by employers, federal agencies, and providers of online services. Frequently, the rules—ostensibly to enhance security hygiene—actually undermine it. And yet, the nameless rulemakers impose the requirements anyway.

[...] A section devoted to passwords injects a large helping of badly needed common sense practices that challenge common policies. An example: The new rules bar the requirement that end users periodically change their passwords. This requirement came into being decades ago when password security was poorly understood, and it was common for people to choose common names, dictionary words, and other secrets that were easily guessed.


Original Submission

This discussion was created by hubie (1068) for logged-in users only. Log in and try again!
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 4, Touché) by Gaaark on Friday September 27, @02:24AM (2 children)

    by Gaaark (41) on Friday September 27, @02:24AM (#1374761) Journal

    The National Institute of Standards and Technology (NIST), the federal body that sets technology standards for governmental agencies, standards organizations, and private companies,

    How about also banning vexing and nonsensical Windows? Shoulda already been done by any federal body that sets technology standards!

    --
    --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
    • (Score: 0) by Anonymous Coward on Tuesday October 01, @01:41AM (1 child)

      by Anonymous Coward on Tuesday October 01, @01:41AM (#1375198)

      Most "Desktop Linux" distros will have mostly the same problems as Windows if they have tons of the sort of users who would enter passwords in order to decrypt and run malware sent to them: http://virus.wikidot.com/beagle [wikidot.com]

      For Windows it's still a considered vulnerability if users have to click through warnings to get themselves pwned.

      And if I click through warnings on Ubuntu Desktop I can still potentially run malware.

      • (Score: 2) by Gaaark on Tuesday October 01, @11:47AM

        by Gaaark (41) on Tuesday October 01, @11:47AM (#1375249) Journal

        An executable that lands in my system must be made executable (chmod +x) before it can be run, giving me that extra bit of security and that extra bit of "Don't do it! You'll regret it!"

        Windows, on the other hand, is like the librarian on Bobs Burgers: "Don't do it. Don't do it.......DO IT!"

        --
        --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
  • (Score: 5, Insightful) by JoeMerchant on Friday September 27, @03:22AM (15 children)

    by JoeMerchant (3937) on Friday September 27, @03:22AM (#1374772)

    Password rules are all about user psychology and behavior.

    While forcing weird character combinations does make shorter passwords harder to dictionary guess, alpha only multi word passwords like correcthorsebatterystaple are far easier to remember and harder to guess than silly rule compliant passwords like Upper12!

    All the crazy rules and periodic change requirements both cause people to write their passwords down and exercise forgotten password reset systems, both are big security holes.

    --
    🌻🌻 [google.com]
    • (Score: 3, Insightful) by looorg on Friday September 27, @10:06AM (2 children)

      by looorg (578) on Friday September 27, @10:06AM (#1374789)

      They tried to set minimum requirements but in actually and for the most parts I strongly suspect that they just st the limit. What they ask for is what they get. Most of the rules as implemented are probably nonsensical in that regard.

      When they say it should contain a symbol, they get ONE symbol and from a very limited amount of symbols. I would think the most common one would be a !. Then they get ONE or at most two digits. If they ask for upper and lower case letters they get one or so uppercase letters, as most people already and normally type in lowercase. A high probability for it to go in either end of the word to. When they ask for 8 characters long passwords that is what they get to. They also probably quite often happen in the order they ask or list them.

      There is a limited testing pattern in that regard to find passwords.

      • (Score: 3, Touché) by owl on Friday September 27, @12:52PM

        by owl (15206) on Friday September 27, @12:52PM (#1374797)

        There is a limited testing pattern in that regard to find passwords.

        I'd word it as:

        User's will make the minimum number of changes necessary, from the "password" they already want to use, in order to bypass the "complexity filter"

        Hense the use of:

        Barney!4

        Instead of: f!z?>yi++WG\

        By 98.9% of users.

      • (Score: 1, Touché) by Anonymous Coward on Friday September 27, @03:01PM

        by Anonymous Coward on Friday September 27, @03:01PM (#1374814)

        And then they send you a text anyway, making the whole password thing moot.

    • (Score: 3, Informative) by NotSanguine on Friday September 27, @04:47PM (8 children)

      While forcing weird character combinations does make shorter passwords harder to dictionary guess, alpha only multi word passwords like correcthorsebatterystaple are far easier to remember and harder to guess than silly rule compliant passwords like Upper12!

      S'truth.

      Although I'd go further than that and recommend misquotes.

      What I mean by that is a song lyric, a quote from literature/history or other well-known phrase that's been slightly altered to defeat dictionary attacks. This allows you to easily remember whatever it you set for the password, and it will also (presumably) contain spaces and punctuation as well. For example:

      'A republic, if you can sleep on it.'

      or

      'Time keeps on flippin', flippin', flippin' into the suture.'

      and similar. Easy to remember, long enough to thwart brute force and different enough to thwart dictionary attacks.

      I'd argue that such passwords are more secure than something like 'SgoseGJK3&@js;j;a!p9743DEwsx' as you're never going to remember that, so you'll need to record it somewhere -- jeopardizing its security.

      I'm sure there are other arguments for/against, but it works for me.

      --
      No, no, you're not thinking; you're just being logical. --Niels Bohr
      • (Score: 2) by owl on Friday September 27, @06:26PM (7 children)

        by owl (15206) on Friday September 27, @06:26PM (#1374829)

        'Time keeps on flippin', flippin', flippin' into the suture.'

        I'd argue that such passwords are more secure than something like 'SgoseGJK3&@js;j;a!p9743DEwsx'

        It's not. And password crackers have specific modes to work towards brute forcing things such as "time keeps on fippin" by trying all combinations of words, with various combinations of separators. The security of the "string of common words" rests totally upon how big the word dictionary used is for jacktheripper (or hashcat) and how many GPU's the attacker wishes to buy to throw at it. The second one requires a true brute force across the entire alphabet of characters that can be typed in, which will usually result in a much much larger search space more quickly than the string of words, esp. if the string of words is selected from a relatively small set of words (as will be the most common occurrence).

        as you're never going to remember that, so you'll need to record it somewhere -- jeopardizing its security.

        Except, even Bruce Shiner states that writing down a complex password is significantly more secure for all but the most "classified access" individuals. That cryptic password, than you remember by writing down and storing in your wallet (as in cash wallet) is more secure that the string of words you can remember.

        • (Score: 3, Informative) by NotSanguine on Friday September 27, @06:53PM

          It's not. And password crackers have specific modes to work towards brute forcing things such as "time keeps on fippin" by trying all combinations of words, with various combinations of separators. The security of the "string of common words" rests totally upon how big the word dictionary used is for jacktheripper (or hashcat) and how many GPU's the attacker wishes to buy to throw at it. The second one requires a true brute force across the entire alphabet of characters that can be typed in, which will usually result in a much much larger search space more quickly than the string of words, esp. if the string of words is selected from a relatively small set of words (as will be the most common occurrence).

          According to Security.org [security.org], 'Time keeps on flippin', flippin', flippin' into the suture.' would take 13*10^90 years to brute force. Whereas 'SgoseGJK3&@js;j;a!p9743DEwsx' would "only" take 25*10^36 years to brute force.

          You seem to be ignoring the fact that spaces and punctuation add significantly to the search space. What's more, you can't just brute force some of the password. Rather, it's an all or nothing endeavor. As such, even if your password is 'Four score and seventy years ago', which is quite close to the original quote, a dictionary attack won't work, as it's not the actual quote.

          And since brute force is all or nothing, again, according to security.org [security.org], brute forcing 'Four score and seventy years ago' would take 100*10^39 years.

          All that said, even if you were right and the time to brute force the above were reversed, some multiple of 10^36 years is plenty, especially since the Earth will be uninhabitable in less than 10^9 years.

          tl;dr: Using a misquote that's easy to remember is at least as difficult if not significantly more so to crack than random gibberish.

          --
          No, no, you're not thinking; you're just being logical. --Niels Bohr
        • (Score: 2) by NotSanguine on Friday September 27, @07:28PM (5 children)

          It's not. And password crackers have specific modes to work towards brute forcing things such as "time keeps on fippin" by trying all combinations of words, with various combinations of separators. The security of the "string of common words" rests totally upon how big the word dictionary used is for jacktheripper (or hashcat) and how many GPU's the attacker wishes to buy to throw at it.

          Ah, but it is.

          Here's an example for you. Even *if* I tell you where the misquote comes from, you won't be able to use a dictionary attack to find it, as it's not the exact quote. Here's a song lyric from Pink Floyd's "Dark Side of the Moon," which I used since it may well be some of the best known lyrics in the western hemisphere, given that it was on the Billboard top 100 album chart for nearly 30 years.

          Here's a SHA512 hash of the unmodified lyric:
          0f8eb77854b66ccf69c2f00018642b3935a9bac788575b4598ea029a3f85e397b1b32075f496522ca182e77d1ca605b58bfec640f10f4cec4e78b2328abb02d5

          And here's a SHA512 hash of the same lyric, but misquoted:
          fc2c9eaf04a53bc518e35c2c7d444bab2245806ae1a620fb219d73b07233847bdccbb4fe56f29a5b0e659bd489a507b68fa57a3699ca53e69021442ace0b5b82

          You can absolutely successfully perform a dictionary attack against the first hash, as it matches the song lyric exactly. Especially if you know where the lyric is from (which reduces the search space enormously).

          But even if I tell you that the lyric from the first hash is 'There is no dark side of the moon really. Matter of fact, it's all dark.' and if I tell you that the second hash is one or more minor changes to the lyric, you cannot perform a dictionary attack against it -- rather you'll have to brute force the modified lyric -- which would take ~300x10^90 years to crack.

          If what you posit is correct, given all the information I've given you, you should be able to crack the second hash within minutes, no? Good luck with that. I won't hold my breath.

          And note that a 'hacker' with the above hashes as part of a bunch of other hashes will not have the level of information I've just given you.

          --
          No, no, you're not thinking; you're just being logical. --Niels Bohr
          • (Score: 2) by owl on Friday September 27, @08:19PM (4 children)

            by owl (15206) on Friday September 27, @08:19PM (#1374842)

            you should be able to crack the second hash within minutes, no?

            No, I can't, because I don't have the 20+way Nvidia GPU cluster necessary to even begin to hope to be successful. With that said, I also don't have the GPU cluster to be able to brute force even something like 'LbLSlQToLu'. (You'll note a pattern here - I don't have a GPU cracking cluster......)

            And, yes, someone who knows what they are doing can formulate a "string of words" with that has more brute force complexity than a given "random jumble" of letters (this is always true, for either direction, just add more words, or more letters depending on which one you want to be 'harder to crack' than the other). But the average 'person on the street is not likely to imagine a string of words on their own that will be sufficient to be more secure than something like '+&ZxLVmTuQ' generated by a decent random number generator and a relatively simple algorithm. So just telling the average joe that the "string of words" is better [1], without them understanding why, is not going to magically make them "more secure". It might move them away from using Password2! but won't necessarily make them "secure".

            [1] If for no other reason than that average joe is going to pick a string of words like "mary had a little lamb" (or one from any number of common phrases) as their string of words and we are right back to the same issue as 'Password2!', just with a phrase instead of a "word".

            • (Score: 2) by NotSanguine on Friday September 27, @10:18PM (3 children)

              But the average 'person on the street is not likely to imagine a string of words on their own that will be sufficient to be more secure than something like '+&ZxLVmTuQ' generated by a decent random number generator and a relatively simple algorithm.

              Ah, but that's where you're wrong. The "average person on the street" can memorize dozens of songs. In fact, we find it easier to remember song lyrics than other things, likely because the associated music is a cue. How many songs do you know?

              And just as music can be a cue to remember lyrics, a particular login or website can cue a song lyric (and, more specifically, a *modified* song lyric) quite easily.

              What's more, you're giving crackers *way* too much credit. Given that they'd have only a hash, a dictionary attack is useless, unless it's a well-known phrase repeated vebatim as recorded in the dictionary used.

              Let's take a fairly simple example: "Oh say can you see by the dawn's early light?" would be very susceptible to a dictionary attack since it's a well known song lyric.

              But if you change it even slightly to: "Oh hey can you see by the wand's early light?" a dictionary attack would be completely useless, as it doesn't match any known quote or song lyric. Which would then require a brute force attack which, according to security.org would take 100*10^90 years [security.org].

              You make mention of dictionary attacks that can*somehow* narrow things down, but that;s not how it works. Because all you'll have is:
              1c9f5ad7fa8ed28d95ffb79c2de00b293b6cd1b618b956ecf4f8d62f0916888364b82fe54949d5589ba7bc4596a2702c120d120ed2fe608d6e954a1d6284b035

              and when the dictionary hits on "Oh say can you see by the dawn's early light?" it will come back as a failed attempt, with no additional information. You won't have any indication that the reversed hash is even close, so there's no reason to start changing words in a phrase you don't even know is close.

              What's more, how do you even know what language is being used? If I used "Besame culo, conio maricon!", using a dictionary of English words will fail *forever*. Whereas a brute force attack will only take 13*10^33 years.''

              Here's the SHA512 hash for that:
              e3c184b6f8aa97d7f1bc8d64532f0d12b7218a280815489f6c30d860c9e13ef128d23732e8f691393d6c6af9daa08ee3642373062f26f851995c700d4ee76355

              Can you (or anyone else) tell what language (and if I use something like "Yo no se. I was drinking und das ist ausgezeichnet!" you'll need an all language dictionary) either of the above might be based on the hash?

              So thinking of your favorite song and changing one or more words in a lyric is an *excellent* way to create essentially uncrackable passwords that are easy for *you* to remember.

              Do you really think other folks are too stupid to remember *any* song lyrics? Please.

              --
              No, no, you're not thinking; you're just being logical. --Niels Bohr
              • (Score: 2) by Gaaark on Tuesday October 01, @12:02PM (2 children)

                by Gaaark (41) on Tuesday October 01, @12:02PM (#1375250) Journal

                I like mixing, such as 'Time keeps on flipping, flipping, and Barney was his name-oh'

                But i would do it more as 'Time keeps on flopping, dropping, and Barney was her name.Oh.'

                **(This is just an example: my password would be different because i don't use song lyrics. More along the 'staple horse battery correct' method. I would do more like 'choose wisely for score and seventh years agoo'

                My mind seems to remember word associations from book titles best. Choose a book title and feck it up a bit with other book titles. Like 'For skore 7 Thomas de tank injun' (Four score and Thomas the tank engine) Long, but not really associative.

                Much better than gobbledy-gook written down. If your password is 30+ characters long and remembered, it's better than 12 gobbledy-gooks written down.

                --
                --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
                • (Score: 2) by NotSanguine on Tuesday October 01, @07:48PM (1 child)

                  **(This is just an example: my password would be different because i don't use song lyrics. More along the 'staple horse battery correct' method. I would do more like 'choose wisely for score and seventh years agoo'

                  My mind seems to remember word associations from book titles best. Choose a book title and feck it up a bit with other book titles. Like 'For skore 7 Thomas de tank injun' (Four score and Thomas the tank engine) Long, but not really associative.

                  Absolutely. Songs, quotes, mixed metaphors, multiple references in a single phrase. It's all fabulous, and assuming you use normal spacing and punctuation, the search space becomes much, much larger -- especially with spaces, as there's no way to know how long and/or how many words such a phrase might be.

                  Much better than gobbledy-gook written down. If your password is 30+ characters long and remembered, it's better than 12 gobbledy-gooks written down.

                  Yep. Once you get a long enough (non-standard, meaning not a direct, verbatim quote) password/phrase, we're talking longer than life will exist (less than 10^9 years) on Earth to brute force. And we can go much, much longer than that as the passphrase gets longer -- even without a lot of complexity, although it certainly doesn't hurt to use punctuation and (where appropriate) capital letters to make the passphrase more like normal language -- making it easier to remember.

                  The important thing (as you made clear) is to have a long (25+ characters) passphrase that's not a verbatim quote of anything (e.g., "Men are from Gondwana, women are from etouffee."), forcing anyone attempting to crack a hash to use brute force -- an impossible task in one person's (and potentially, one universe's) lifetime.

                  You go, Gaaark!

                  --
                  No, no, you're not thinking; you're just being logical. --Niels Bohr
                  • (Score: 3, Funny) by Gaaark on Tuesday October 01, @09:07PM

                    by Gaaark (41) on Tuesday October 01, @09:07PM (#1375394) Journal

                    You go, Gaaark!

                    Shit... you guessed my SN password!

                    Now i gotta go change it. Thanks, #NotSanguine

                    Let's see. 'You go, Gaaark!1'? No, already used. 'You go, Gaaark!2'? Nope. I used that 6 months ago.

                    I know.... 'You go, Gaaark!NotSanguine'! ;)

                    --
                    --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
    • (Score: 3, Insightful) by ese002 on Friday September 27, @06:46PM (2 children)

      by ese002 (5306) on Friday September 27, @06:46PM (#1374832)

      While forcing weird character combinations does make shorter passwords harder to dictionary guess, alpha only multi word passwords like correcthorsebatterystaple are far easier to remember and harder to guess than silly rule compliant passwords like Upper12!

      Long multiword passwords are much harder to type accurately. I suppose they would work fine for vocalised passwords ala Star Trek but they suck for something that needs to be typed quickly and blind. Lots more lockouts and password resets.

      • (Score: 3, Interesting) by JoeMerchant on Friday September 27, @08:04PM (1 child)

        by JoeMerchant (3937) on Friday September 27, @08:04PM (#1374841)

        >Long multiword passwords are much harder to type accurately.

        I would argue against that, especially on phone keyboard interfaces where special characters can be 3-4 manipulations away...

        True, it slows people down and makes them more careful to type Shift+8 or whatever on a standard keyboard, but that also makes spying on their finger movements easier... all alpha without shift or Alt or Ctrl manipulations is much easier for me to type accurately, keyboard or phone. Also, not having to remember how particular things are mis-spelled or mangled into 1337 sp33K lowers the mental load of remembering multiple passwords.

        --
        🌻🌻 [google.com]
        • (Score: 3, Touché) by Dr Spin on Saturday September 28, @05:52AM

          by Dr Spin (5239) on Saturday September 28, @05:52AM (#1374886)

          "I would argue against phone keyboard interfaces"

          In fact, I do almost all day, every day.

          And NO, AI never understands a bloody word I say!"

          I want a proper IBM keyboard, you insensitive clod

          --
          Warning: Opening your mouth may invalidate your brain!
  • (Score: 4, Informative) by esperto123 on Friday September 27, @05:13AM (5 children)

    by esperto123 (4303) on Friday September 27, @05:13AM (#1374777)

    https://xkcd.com/936/ [xkcd.com]

    The rule that I hate more is the periodic reset, the company I work for requires every 6 months, it was 3 months some years ago, to me, unless you are a in position that can cause real trouble (like sysadmin) you should only change a password if you suspect or are sure of a leak, or if you WANT to change for whatever reason.

    The most stupid rule that I know of is a bus card site from the city I live, that requires the password to have at least one upper character, one number, one symbol and exactly 8 characters long, not at least, but EXACTLY 8, and you have to change it every month, this make it so much easier for the hackers...

    • (Score: 4, Insightful) by owl on Friday September 27, @12:56PM (1 child)

      by owl (15206) on Friday September 27, @12:56PM (#1374799)

      And, the new NIST requirements also throw out the "periodic change" rule. From TFA:

      Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

      The 3 month change cycle is why most 'corporate system' passwords are some variation upon:

      Barney!102024

      Where "102024" is either "month/year of last change" or "month/year of next expire month" -- resulting in perfect predictability of a given user's next password once someone obtains their prior password.

      • (Score: 2) by Gaaark on Tuesday October 01, @12:04PM

        by Gaaark (41) on Tuesday October 01, @12:04PM (#1375251) Journal

        Heh... i love seeing 'Spring2024' which changes to 'Winter2024', rinse, repeat.

        --
        --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
    • (Score: 2) by Freeman on Friday September 27, @01:17PM (1 child)

      by Freeman (732) on Friday September 27, @01:17PM (#1374802) Journal

      Having password fields that were exactly X characters long is a thing from a bygone era mostly. You still find it some places, hopefully it's not your bank.

      --
      Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
      • (Score: 0) by Anonymous Coward on Saturday September 28, @08:14AM

        by Anonymous Coward on Saturday September 28, @08:14AM (#1374889)
        In my experience it's usually banks that force short passwords... 🤣
    • (Score: 3, Touché) by vux984 on Friday September 27, @06:48PM

      by vux984 (5045) on Friday September 27, @06:48PM (#1374833)

      There are systems I use every few months, that require a password changes more often than I use. I literally never login without going through the reset your password loop. I use a password manager, but there's no point for this system, I might as well just use "I forgot my password" and reset it every time I need to use the system.

      I actually know people where this has become their default. Why remember a password at all, just click I forgot, click the link in the email, put in some random trash and forget it immediately, get the text message and enter the code and your in. And i get it, its not actually any less work than logging into some sites with the password. - they still send you and email to verify and then some MFA etc. They know their email password, and maybe a couple others that they use regularly, and for everything else "I forgot my password" is how they log in.

      Actually I even know people who don't even know their email password - the connection is established on their laptop and on their phone, and that's it then they forget. And every time either device needs replacing, they have to go through a whole rigmarole of getting their passwords reset.

  • (Score: 5, Interesting) by Dr Spin on Friday September 27, @09:20AM (3 children)

    by Dr Spin (5239) on Friday September 27, @09:20AM (#1374785)

    Sites that require a symbol, and then disallow a whole bunch of symbols (Like + and -) but don't actually tell you that, so you spend ages
    trying to set your password, and it refuses (in yesterday's case, with the message "passwords do not match") I didn't suspect them of disallowing
    symbols after they required them, and I was sure that the two passwords matched (after turning on "see password"*).

    Clicking help takes you to an AI bot that does not understand the problem which routes you to a page that does not exist.

    Don't people test web pages any more?

    * Why do we have the password hidden when creating it? If people are looking over your shoulder, you should not create the password - they can always
    watch what keys you are pressing anyway.

    --
    Warning: Opening your mouth may invalidate your brain!
    • (Score: 5, Insightful) by owl on Friday September 27, @12:59PM

      by owl (15206) on Friday September 27, @12:59PM (#1374800)

      Don't people test web pages any more?

      No. The normal "move fast and break things" mentality that has pervaded the industry results in this method of development for most websites:

      Designer vomits some crap into a bucket.

      Web Front End Programmer consumes the vomit and shits out a website.

      With the result that you can polish a turd all you like, and it will never become a diamond.

    • (Score: 2) by bzipitidoo on Friday September 27, @03:06PM

      by bzipitidoo (4388) on Friday September 27, @03:06PM (#1374816) Journal

      Yeah, ran into one of those that insisted on a special character but wouldn't allow comma.

      The one that annoyed me the most was a system with three problems. 1st, its password update process was so slow that it took a full day for the new password to go into effect. At first I thought I had mistyped my new password, and it was several minutes before I thought to try my old password, and found that it still worked. All that day, the old password continued to be the correct one. I still wondered if I had somehow caused the password change process to abort, but the next day, the new password worked. Huh.

      The 2nd problem was that it silently truncated passwords to 8 characters! It lets you enter longer passwords, and then simply chops them down. You could go quite a while thinking you had a longer password. Of all the stupid design elements, that one is near the top of my list. (What's at the top? y2k bugs! Maybe not all y2k bugs, just the stupidest ones such as a 1994 program that needed only 1 date, not thousands, and they got cheap. Yeah, let's make a bug to save 1 byte, that's so important on computer systems that have multiple megabytes of memory!) I found out about the password truncation with my 9 character password one day when hastily entering it. I hit the Enter key a fraction of a second before I entered the last character of my password, and, it worked, I was logged in, with the last character of my password now the first character on the command line. Further testing showed that for the password challenge, I could type in any garbage beyond the 8th character, and it would log me in.

      Many systems have had this problem of not turning off keypress buffering and echoing around password entry. The password entry itself is obfuscated (largely needlessly, as you pointed out, shoulder surfers quite able to watch which keys you press, no need to look at the screen), but keystrokes just before and after are not. The infamous sluggishness of that system would sometimes but not always generate a noticeable pause between accepting a username and prompting for the password. During that moment, if the user started typing in the password, expecting that the system was ready for it, the password would be echoed back to the console, in the clear.

      Which brings up another of my pet peeves: stop using the userID for authentication! Ask for passwords only. There are so many pieces of information that people ignorant of security insist on trying to have both ways, both public knowledge and proof of identity. Yes, keep your Social Security Number a big BIG secret so that identity thieves can't steal all your money! But you need to enter your SSN every year on tax forms, and when applying for credit or loans, or renewing a license, or leasing something, or a whole host of other things. Mother's maiden name is another disastrously public piece of info that has been used to verify identity. Everyone on a person's mother's side of the family is going to know mother's maiden name! And everyone who knew your mother before she married. Also, that tradition is no longer followed by everyone, more and more, women are keeping their maiden names, and for good reason. One such reason is voter suppression efforts to try to disenfranchise women whose last names don't match their birth certificates because they got married and followed that tradition of changing their last names to that of their new husbands'. As often is the case with such bull, the people pushing the voter suppression that will drive more women away from that marriage tradition are the same who scream about marriage being under attack.

      Yes, I understand that asking for the userID limits cracking attempts to one userID at a time, instead of all of them. But that brings us to the next issue: why do systems more than let users choose their own passwords, they force users to do so, and then scold users for not making good passwords? Any more, I'm to the point, F it, I'll run with Firefox's securely generated password so I don't have to be bothered making up yet another password.

    • (Score: 3, Interesting) by vux984 on Friday September 27, @07:31PM

      by vux984 (5045) on Friday September 27, @07:31PM (#1374838)

      re *

      Why differentiate creating the password vs using it. The same risk applies in both cases. Its really not practical to always be completely alone when entering in a password and its MUCH much simpler to see it on the screen, even without really trying. To get someone's password by watching them typing you'd have to be trying or perhaps even recording it. Plus when I did IT support I was frequently supporting people, who needed to enter passwords or create passwords while I was remoted in, and as a user have had IT connected while I needed to log into something too. Sure they could log keystrokes but the point is they aren't trying to get your passwords anyway, but if its just displayed its hard not to see it. Hidden by default is pretty sensible.

  • (Score: 1) by shrewdsheep on Friday September 27, @09:32AM

    by shrewdsheep (5215) on Friday September 27, @09:32AM (#1374787)

    appies: "We can solve any problem by introducing an extra level of indirection."

    The use of password managers should be advocated by NIST, which is, at the moment, the only viable software solution for strong, site/app-unique passwords.

  • (Score: 4, Interesting) by Freeman on Friday September 27, @01:20PM

    by Freeman (732) on Friday September 27, @01:20PM (#1374803) Journal

    Why is doing this and why haven't they been fired?

    9. Verifiers SHALL verify the entire submitted password (i.e., not truncate it).

    --
    Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
  • (Score: 4, Funny) by theluggage on Friday September 27, @02:04PM (2 children)

    by theluggage (1797) on Friday September 27, @02:04PM (#1374807)

    and the use of security questions.

    …hurrah! No more having to name your cat “f3l1X$2958”!

    • (Score: 0) by Anonymous Coward on Friday September 27, @03:05PM

      by Anonymous Coward on Friday September 27, @03:05PM (#1374815)

      You can either look up my mother's maiden name, or you can factor a 256 bit integer into 2 primes? Which do you prefer?

    • (Score: 2) by Zoot on Saturday September 28, @02:25AM

      by Zoot (679) on Saturday September 28, @02:25AM (#1374875)

      I have to use those names for my pets because Blizzard burned all my original security question answers when they got hacked.

      Now security questions are just "extra bonus passwords" that I have to make up and store somewhere along with the actual password.

  • (Score: 3, Insightful) by Zoot on Saturday September 28, @02:33AM

    by Zoot (679) on Saturday September 28, @02:33AM (#1374876)

    It's about time someone came out with proper password recommendations.

    If a web site/service allows unlimited password "guessing", or the hackers have gotten your hashed password off of the server then it's kind of already over. But for any properly designed service, password complexity isn't even that important because you don't get the chance to guess without limit.

    And changing passwords is even worse, and just increases the chance that the user will break the one true cardinal rule of passwords, which is: Never ever re-use a password between two different services, and especially don't use the same password for something critical like your email account and some random web site. And don't re-use an old password even if you think "I haven't used that in years".

    And here's a nice new little level of paranoia to worry about. How many times have you gone to log into something, and absentmindedly entered the wrong password, but it's a password to some other important thing in your life? Imagine a compromised web site that's logging password *failures* and then combines what you entered with your username and email and goes and tries out that logon on other popular services?

(1)