SoylentNews is people
SoylentNews
The latest NIST (United States National Institute for Standards and Technology) guidelines on password policies recommend a minimum of 8 characters. Perhaps more interesting is what they recommend against. They recommend against allowing password hints, requiring the password to contain certain characters (like numeric digits or upper-case characters), using knowledge-based authentication (e.g., what is your mother's maiden name?), using SMS (Short Message Service) for two-factor authentication, or expiring passwords after some amount of time. They also provide recommendations on how password data should be stored.
[Ed. Note: Contrary to common practice, I would advocate reading the entire linked article so we can have an informed discussion on the many recommendations in the proposal. What has been your experience with password policies? Do the recommendations rectify problems you have seen? Is it reasonable to expect average users to follow the recommendations? What have they left out?]
(Score: 4, Interesting) by edIII on Friday August 19 2016, @08:33PM
Well, yeah, but what if you hate the users? ;)
Just load up some Rainbow tables and make sure a password doesn't exist within it, or at least warn the user that the password is in the 'well known' list.
Fuck that. If you don't the keyspace becomes reallllly fucking small really fucking fast. You'd figure NIST would understand something about permutations and the average office worker that will tape their password on the monitors...
At a minimum it needs to be a combination of both letters and characters, ONE of them being capitalized. Doesn't matter where. That together represents a keyspace of 62^8 versus 26^8.
The best password is at least 4 words, or 2 phrases, with numbers surrounding them:
RockyMountain2287234OysterSquirrel. - Easier
Costlier343Bluegrass997PredonatingPlonk2227373. - Harder
The numbers can be in the form of 7 digits, which is easier to remember like a phone number. I've sometimes used phone numbers that were disconnected, but popular. Like this pizza place back in the 80's I loved. You can even begin and end it with 3 number sequences, or better, randomly dispersed between the words or phrases.
You would think they're harder to remember, but they are much easier to remember than 8 random characters over 80+ possible characters in some cases. I've forgotten passwords that I was able to recreate just by trying combinations of it, so it has some memory error recovery built in.
It's all about permutations and probability so I can't understand why NIST is asking to deliberately weaken keyspace....
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by Snow on Friday August 19 2016, @09:28PM
I have a handful of passwords but most logins use the same insecure password. Do I care if my soylent login gets hacked? Not really, so insecure password it is. I have a work password that meets work requirements and has a number tacked on the end so when it expires, I increment the number.
Finally I have my 'super-secure' password, which is a derivative of my deceased dog's ear tattoo number. It seemed like a good idea, because if I ever forgot it, I could just call her over and take a peek.
Anyways, my password strategy is complete shit, but convenient, and I like it that way.
As a side note, one of my email accounts was compromised. My ISP locked the account and I had to call them to unlock it. They made me choose a long password. I have no idea what it is. I had to change it to log in when I changed my mobile device. That was less then a week ago, and I tried to log in today, and I have no idea what the password is anymore - super annoying.
(Score: 2) by Dr Spin on Saturday August 20 2016, @08:56AM
That is why you put it on a post-it note on the monitor!
Warning: Opening your mouth may invalidate your brain!
(Score: 2) by theluggage on Friday August 19 2016, @09:35PM
Costlier343Bluegrass997PredonatingPlonk2227373
From TFA: "Your password must contain one lowercase letter, one uppercase letter, one number, four symbols but not &%#@_, and the surname of at least one astronaut.”
Ok, they're engaging in a little comic exaggeration, but I've encountered plenty of services that wouldn't accept your password suggestions unless you scattered a few "!" and "$" symbols in there (making it harder to remember for you for relatively little security gain).
It's all about permutations and probability so I can't understand why NIST is asking to deliberately weaken keyspace....
No, its about user friendliness as well, and, taken together, the overall thrust of the rules is trying to make passwords easier to remember and encourage the use of longer phrases that users don't need to write down. The only effect of composition rules is to make people use well-known letter-symbol substitutions. "SwordfishTastesBetterWithPeanutButter" is surely an improvement over "Sw0rdF!s#" even if its not up to your standards...
My objection is that this is all well and good but I still can't invent and remember 100 strong passwords (especially as my dear employer insists on changes every 90 days). Can't we find a better way? I'm basically reliant on a password manager to generate and fill in passwords anyway so why can't I just exchange public keys and have my computer do challenge/response?
(Score: 2) by edIII on Friday August 19 2016, @10:51PM
It probably isn't. What's difficult to see is that the phrases are actually a reduction in keyspace. The latter is 9 characters expressed across a possible minimum of 72 characters, perhaps even up to 94. Yours is 38 characters expressed across 52 possible characters. Superficially, those 38 characters are stronger. Another way to look at it though, is that is just 6 words with consistent capitalization. So the permutations are not really a whopping 38^52, but the number of possible words raised to the 6th power.
A quick search [quora.com] for the number of words an average English speaker knows revealed that at age 12 it was only around 12,000 words. A college graduate may understand 23,000, and the average Millennial American now may know as many as 1,000 I think, and can spell half of them....
30,000 raised to the 6th power is actually less than your difficult 9 character password by about 60 orders of magnitude. You want those words to not only be random, but to be gibberish in a sentence. Your phrase is actually correct. The interspersing of a few number sequences raises the permutations quite significantly, while not making it all that much more difficult. We can remember 7 digit numbers fairly easily, and do so all the time.
It's not about up to my standards at all. MATH. That's it. The only standard. Higher permutations and lower probabilities are always better, so my standard is whatever will ultimately increase keyspace, in the most user friendly manner I can find.
Hehe. That's pretty much what 90% of us here do I bet. Challenge is that it's a bit more sophisticated, and not as easy to maintain when you're not a power user. I do agree though, it would be kickass if the browsers would start supporting SSH key management. You hit a secure website and *your* system pops up the request for the passphrase, decrypts your key, and then securely presents it to the remote site. That's a lot of work that I doubt will ever happen though. At the moment I suspect most of us the challenge/response with SSH to establish encrypted tunnels that have access to administrative systems, those not even being accessible from the Internet at all. Which is fairly critical in a lot of cases, and the last the use case saved my butt. The web management was hacked for a popular piece of equipment and many people were being owned, unless you had web management blocked with IP tables and only allowed tunnel'd SSH sessions to access it.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by fnj on Saturday August 20 2016, @12:04AM
Oopsie. Doesn't compute. 30,000 raised to the 6th power is 2.43E+22. 96 raised to the 9th power is 5.73E+19. Sorry, but 6 words picked randomly from a set of 30,000 represents MORE entropy than 9 characters picked randomly from a set of 96. Isn't math wonderful? And astonishing?
You need to revisit the concept of orders of magnitude. 60 orders of magnitude spans the range from 1 to 1E+60. It is an almost unimaginably vast range. The number of atoms in the UNIVERSE is only estimated to be about 1E78 to 1E82.
(Score: 0) by Anonymous Coward on Saturday August 20 2016, @01:00AM
Not to mention that if you apply similar reduction to the complexity of Sw0rdF!s#, it is just one of maybe 30,000 words plus nine opportunities at maybe a half dozen variations (that is really being overly generous). With those assumptions, its entropy is only about 1.2E12, or forty bits.
(Score: 2) by edIII on Saturday August 20 2016, @01:11AM
Funny thing is, I used a calculator. Still should have sanity checked the value, but I was writing the post while also sysadmin'n ;) Please be gentle...
Thank you very much for checking the math. I certainly fat fingered the 96 ^ 9 for sure. I saw an exponent of 72 instead of 17. Go figure.
Can you check that again? :D
I got 7.29 * 10 ^ 26 [duckduckgo.com].
I think it's contagious. You're welcome.....
P.S - Also interesting to note that an average person with 15,000 word vocabulary is only about 1 order of magnitude less than Shakespeare. I keep feeling that there really is a loss of keyspace because words literally do reduce the keyspace away from just random letters. That's why I feel adding the numbers in there and shifting the words in between them significantly increases keyspace.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by theluggage on Saturday August 20 2016, @12:16PM
The latter is 9 characters expressed across a possible minimum of 72 characters, perhaps even up to 94. Yours is 38 characters expressed across 52 possible characters.
Trouble is, even if your math is correct (and a couple of people above have challenged it) you're basing it on false assumptions about the world - in particular that the password is randomly chosen and that the cracker will resort to a dumb "infinite monkey" technique to guess it. The "keyspace" of words that users are likely to pick is far, far smaller than the number of possible permutations.
"Sw0rdF!s#" isn't "9 characters expressed across a possible minimum of 72 characters" - its a commonly used password [wikipedia.org] that will be on many lists of "bad passwords" with a couple of predictable "readable" letter-symbol substitutions thrown in (CamelCase, O=0, i=! etc) - which is precisely what you are going to get if you simply force people to use "At least 1 upper case character, 1 symbol and 1 number".
Any self respecting "rainbow table" or other cracking tool will surely include some of these common permutations. Also, you somewhat assume that the cracker is trying to crack one specific password: more likely, they've got 100,000 password hashes from somewhere and they'll be happy if 10 of them turn out to be "$3cr3t" or "Pa55w0rd". Or that they know your Facegoog password is "Sw0rdF1sh" and are trying to guess which minor variation is your Twitbook password. Any system that lets hackers brute-force passwords by making repeated login attempts has more urgent problems than its password policy.
You hit a secure website and *your* system pops up the request for the passphrase, decrypts your key, and then securely presents it to the remote site. That's a lot of work that I doubt will ever happen though.
Yet every half-decent terminal emulator or file-transfer utility supports it for SSH.... and HTTPS effectively does the reverse to authenticate the site. All the crypto code needed is out there, it just needs the protocol and UI.
(Score: 2) by DECbot on Friday August 19 2016, @09:39PM
GreatSong(Tommy867-5309Tutone)
I see the allure.
cats~$ sudo chown -R us /home/base
(Score: 5, Informative) by http on Friday August 19 2016, @09:42PM
I can't tell if you're trolling or if you're actually not understanding the math: exponentiation trumps multiplication every time.
26 ^ 8 = 208827064576
62 ^ 8 = 218340105584896
...but...
26 ^ 12 = 95428956661682176
Adding 50% to the length of the password (not even doubling the length) gets you a keyspace three orders of magnitude greater than nearly tripling the alphabet size. The best password is a unique phrase that you can reliably reproduce.
I browse at -1 when I have mod points. It's unsettling.
(Score: 1, Insightful) by Anonymous Coward on Friday August 19 2016, @10:00PM
^^^This! And if the site has a policy where you have to change your password frequently, you will NEVER be able to come up with a secure password that you can remember. Thus, you will rely on the password recovery mechanism with its attendant weaker security. FAIL! Let people come up with a good password and keep it. If your system is compromised, the attackers will have wallked off with your data before the password change policy kicks in anyway! Security theater, I tell you.
(Score: 2) by edIII on Friday August 19 2016, @11:12PM
I honestly don't understand the point you're trying to make. Yes, exponents result in MUCH larger numbers than simple multiplication.... but that's because it's multiplication over and over again. I'm sure you know that :)
However, what is the exponent again? The exponent is the number of selections you're making (password length) and the base is the total number of possibilities for that selection. At least when you want permutations of something.
My point remains. Keyspace is exponential of course, but one of them is larger than the other. You failed to note that:
That's quite a bit bigger than 218340105584896 (26 ^12). Which seems like we have a game of leap frog going on, and I'm gonna win with every character added :)
Only for the user. Security is evaluated quite impartially by simply looking at keyspace, probabilities, etc.
Not unless that base is quite large, and exponent isn't small, will you see the keyspace expand to over 70 orders of magnitude (minimum for me, although I feel a lot more comfortable at 100). You still need at least 8 characters before exponents start "creating walls" that make brute force not a viable activity. Using just characters that base is only 26. Capitals gives us 52. Adding in numbers gives us 62. Allowing a short range of symbols can give us upwards of 90. That makes a big difference.
Exponents also don't mean much when you take a closer look at the keyspace. Don't be fooled into thinking your phrases protect you, when they actually reduce keyspace. Any time you can infer a pattern, you're reducing keyspace. Squirrel seems like a good 8 characters, but it is in fact only ONE well known word. It's a single record in a Rainbow table, and doesn't represent the keyspace implied by 8 random characters. Likewise, 5 well known words do not represent 25+ selections against the alphabet. They represent 5 selections against the dictionary of words we know.
You need to work a little hard to increase keyspace, and reduce keyspace weaknesses by randomizing it a bit further. The adding of numbers or symbols dramatically increases keyspace, while not making it all that much more harder to remember.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 3, Insightful) by stormwyrm on Saturday August 20 2016, @03:00PM
Numquam ponenda est pluralitas sine necessitate.
(Score: 0) by Anonymous Coward on Friday August 19 2016, @11:19PM
I use a hashing algorithm that I can perform in my head with a printed table to generate my password for each site. When the algorithm generates something that clashes with a site's fancy composition rules, I default to one of a couple memorized passwords depending on the importance of the site.
Without a password manager or a scheme like mine its impossible to remember hundreds of unique passwords. By using fancy composition rules, you make it more difficult to remember the password and thus more likely for the user to just give up and use an old one.
(Score: 2) by stormwyrm on Friday August 19 2016, @11:41PM
Then your users will hate you right back, and they will undermine your security policy every chance they get, and do dangerous things like write their passwords down and put them in insecure locations, because they can't freaking remember them with all the asinine restrictions you try to impose. You need to compromise with the limitations of human memory and cognition and make it work for you instead of against you. This is why XKCD 936 [xkcd.com] is a reasonably sound recommendation, only I'd use more words instead of just four.
Numquam ponenda est pluralitas sine necessitate.