Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Tuesday October 10 2017, @09:30PM   Printer-friendly
from the gud1dea dept.

Schneier on Security:

NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:

-Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.

-Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.

-Let people use password managers. This is how we deal with all the passwords we need.

These password rules were failed attempts to fix the user. Better we fix the security systems.

Does this mean we can stop composing our passwords like Q*bert?


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Funny) by Anonymous Coward on Tuesday October 10 2017, @09:47PM (8 children)

    by Anonymous Coward on Tuesday October 10 2017, @09:47PM (#580087)

    Do these new rules mean I can change my password back to "hunter2"?

    Starting Score:    0  points
    Moderation   +1  
       Funny=1, Total=1
    Extra 'Funny' Modifier   0  

    Total Score:   1  
  • (Score: 3, Funny) by takyon on Tuesday October 10 2017, @09:51PM (5 children)

    by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Tuesday October 10 2017, @09:51PM (#580095) Journal

    We're recommending the upgraded security of "hunter1". It works because the adversary assumes you would move on to "hunter3".

    --
    [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
    • (Score: 2) by bob_super on Tuesday October 10 2017, @09:54PM (4 children)

      by bob_super (1357) on Tuesday October 10 2017, @09:54PM (#580096)

      I'm totally going for 123456 or qwerty, because no attacker would believe I'm stupid enough to use those in 2017.

      • (Score: 2) by frojack on Tuesday October 10 2017, @10:32PM (1 child)

        by frojack (1554) on Tuesday October 10 2017, @10:32PM (#580122) Journal

        But every cracking algorithm still has those at the top of their list. Even though we all know you get exactly 3 tries.

        None of this cracking stuff is done by the geeky computer girl nerd as seen on EVERY stupid TV show. How come its always a girl? How come she gets it on the third try every time?

        --
        No, you are mistaken. I've always had this sig.
        • (Score: 3, Funny) by bob_super on Tuesday October 10 2017, @10:55PM

          by bob_super (1357) on Tuesday October 10 2017, @10:55PM (#580135)

          That's because she's the only one to check whether he's got a picture of his girlfriend or his kids on his desk.
          Real geeks don't have the feels it takes for social engineering, you know!

      • (Score: 0) by Anonymous Coward on Wednesday October 11 2017, @12:15AM

        by Anonymous Coward on Wednesday October 11 2017, @12:15AM (#580178)

        "username" and "password" seem like good security.

      • (Score: 0) by Anonymous Coward on Wednesday October 11 2017, @02:27PM

        by Anonymous Coward on Wednesday October 11 2017, @02:27PM (#580478)

        Upgrade to Dvorak adn fool them even furter by changing to ',.pfy

  • (Score: 2) by el_oscuro on Tuesday October 10 2017, @11:40PM

    by el_oscuro (1711) on Tuesday October 10 2017, @11:40PM (#580159)

    How did you get my SN password? It was all ***** on the screen when I typed it!

    --
    SoylentNews is Bacon! [nueskes.com]
  • (Score: 0) by Anonymous Coward on Tuesday October 10 2017, @11:55PM

    by Anonymous Coward on Tuesday October 10 2017, @11:55PM (#580165)

    Finally you can omit the "2".