NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:
-Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.
-Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.
-Let people use password managers. This is how we deal with all the passwords we need.
These password rules were failed attempts to fix the user. Better we fix the security systems.
Does this mean we can stop composing our passwords like Q*bert?
(Score: 2) by bzipitidoo on Tuesday October 10 2017, @09:57PM (20 children)
What really annoys me are the "security questions" that are passwords in all but name. I've been locked out of accounts despite knowing the password, because I couldn't answer the security questions within 3 tries (did I capitalize the first letter of my answer? etc.), and they have this stupid 3 strikes policy. Facebook will allow only 3 guesses per hour. Others lock up permanently after 3 failed guesses, and you have to call customer service to get it unlocked.
It's effectively 7 passwords to remember when a site demands no less than 6 security questions. Worse, with that many questions and a 3 strikes policy, you'd better make sure you have the answers paired up with the correct questions, so have to record the questions too.
(Score: 1, Troll) by bob_super on Tuesday October 10 2017, @10:11PM (7 children)
Oh Dear, Oh Dear, what will one do if they are locked out of facebook for a full hour?
I'll call the UNHCR for you.
(Score: 0) by Anonymous Coward on Tuesday October 10 2017, @10:23PM (3 children)
There's this thing called life that relied on genuine human interaction, unfortunately facebook have yet to offer this service to their users (AKA: product).
(Score: 2) by takyon on Tuesday October 10 2017, @10:49PM
It's coming [soylentnews.org]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Tuesday October 10 2017, @11:57PM (1 child)
Sometimes people use Facebook to arrange in-person meetings, do they not? In which case, an hour's delay in communicating could be a problem.
(Score: 3, Informative) by Anal Pumpernickel on Wednesday October 11 2017, @08:45AM
Regardless of what reasons people have for allowing themselves to be used by the monstrous surveillance engine known as Facebook, they are fools for doing so.
(Score: 2) by richtopia on Tuesday October 10 2017, @11:15PM (2 children)
I know my Facebook account password. However I haven't logged in for 7 years, so when I attempted to again I was prompted with a series of security questions asking me to identify people in photos. I don't know how my high school colleagues look!
Moral of the story, moving onto 8 years of no Facebook. And my family who only uses Facebook messenger to make social plans never communicates with me.
(Score: 0) by Anonymous Coward on Wednesday October 11 2017, @12:10AM (1 child)
https://www.prod.facebook.com/help/159096464162185 [facebook.com]
(Score: 2) by Aiwendil on Wednesday October 11 2017, @01:15PM
And that really annoys me, I havn't signed up with my real name for anything in more than a decade (only about 60% of my friends know my real name, almost all knows this username however). Also how does it deal with name changes?
Why on earth would I sign up on a social networking site with a name very few people call me? (Not even my coworkers call me by my name, they instead uses one of the three irl-nicknames I have. I know some of them don't know my name) And it can be years between the times when I hear someone call me by my real name.
(Score: 2) by frojack on Tuesday October 10 2017, @10:26PM (2 children)
I've got one bank account I manage that wants to ask you a security question for EACH function, and have you remember them.
That's bad enough for a personal account, but its a business account.
So as account handlers (employees) get swapped out over time, when ever one of these functions is needed, (adding a new Payee for example) they have to call up the old account handler, as him what his best childhood friend's first name was, write that down. Then the repeat the process the next time they want to change a mailing address or phone number.
And god help you if you log in from a different IP. Now you need two passwords or security questions.
Jeeze, just give me a Yubikey [yubico.com] and be done with it. At least I could put that in the safe. Now what was that safe combo?
No, you are mistaken. I've always had this sig.
(Score: 3, Interesting) by NewNic on Tuesday October 10 2017, @11:54PM (1 child)
At least one bank in the UK has a 2FA using your debit card. They issue you a card reader, and ehen you want to do a transaction like sending money, you slip the card into the reader, enter your card's PIN, then enter a number provided by the website. Finally, you type the number that the card reader returned back into the website.
It does require cards with chips, which have been in use in Europe for a lot longer than in the USA.
There is another factor with the way things work in the UK: it's actually simple and efficient to send money electronically directly from one bank account to another, both within the UK and internationally. I don't believe British people can imagine how difficult that task is in the USA.
lib·er·tar·i·an·ism ˌlibərˈterēənizəm/ noun: Magical thinking that useful idiots mistake for serious political theory
(Score: 0) by Anonymous Coward on Wednesday October 11 2017, @12:35PM
If it's anything like the German chip/tan system, it's orders of magnitude better than regular 2-factor authentication.
Regular 2-factor is only valid once or for one minute (depending on the version). Either way, a man in the middle attack (or "man in the browser", for those who think that anything not stopped by SSL cannot be called MITM) can just replace the amount and account number. The chip/tan code on the other hand is basically a digital signature of the transaction id, target account and amount, which are also shown on the screen on the device itself (which has no connection to the computer).
When done correctly, that number you enter is only valid for the amount and target account shown on the device screen.
(Score: 2) by RS3 on Wednesday October 11 2017, @03:23AM (5 children)
I had fun recently with AOL, due to Verizon buying AOL and moving verizon.net email accounts to AOL. AOL insist on several security questions (3-5 I think).
I tried to tell them, and others, that I can remember a really good password, but multi-factor, etc., and I have to write it down, copy it to several places, keep in files on all computers, etc. Not so secure now, huh?
And they will NOT help you on the phone unless you know the answers!
(Score: 0) by Anonymous Coward on Wednesday October 11 2017, @02:21PM (4 children)
AOL???
(Score: 2) by RS3 on Wednesday October 11 2017, @06:43PM (3 children)
Not to be pedantic, but that's not a complete question; I don't understand what you're asking.
(Score: 2) by Yog-Yogguth on Sunday October 15 2017, @10:36AM (2 children)
Good point! Considering it is now 2017 it's hard to tell if he/she/it/bot is trying to be elitist (because of AOL history) or funny (because of AOL history) or impressed (not because of AOL history!!!).
Flames/burns/insults that are so old they have become flattering lol :)
I welcome our dinosaurs making dinosaur jokes about dinosaurs :D
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
(Score: 2) by RS3 on Monday October 16 2017, @04:29AM (1 child)
Yeah, or maybe the he/she/it/bot doesn't even know who/what AOL is.
Can bots google? Or does google use a bot filter?
(Score: 2) by Yog-Yogguth on Monday October 16 2017, @09:33PM
Yes (but strictly yesnomaybe although mostly very yes) bots can Google, and yesnomaybe there is a bot filter of sorts both for Google and everyone else and also for anyone using Google but not really. Easy clear answers right? :D
Google's own bots (often called indexing spiders, or at least once upon a time they were called that) are (or were) meant to respect any HTTP robots.txt file [wikipedia.org] details. Any other non-Google bot (or script for that matter) is able to use Google just like any other website or for that matter ignore (or respect) any robots.txt file they find if they act like indexing spiders themselves. Google does not have a bot filter as such but probably at very high volumes of traffic/questions/searches restricts the amount of use from any one IP address or IP subnet addresses which I guess one could call a bot filter of sorts although it's more about use and capacity i.e. flooding control and it has plenty of yesnomaybe answers of its own :)
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
(Score: 0) by Anonymous Coward on Wednesday October 11 2017, @03:05PM
I dont have issues with the security questions. Make a standard for yourself. Do you capitalize the answers? if so do it all the time. Do you fully spell it out or use common abbreviations? If so do it all the time. Do you enter spaces or all one word? Do it all the time.
(Score: 0) by Anonymous Coward on Wednesday October 11 2017, @05:21PM
you're not supposed to be trying to remember all that shit. copy/paste it, ffs
(Score: 2) by ilsa on Wednesday October 11 2017, @05:27PM
I come up with random answers and store them in my password database along with the password.