Stories
Slash Boxes
Comments

SoylentNews is people

Changes in Password Best Practices

posted by mrpg on Tuesday October 10 2017, @09:30PM   Printer-friendly
from the gud1dea dept.

Phoenix666 writes:

Schneier on Security:

NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:

-Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.

-Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.

-Let people use password managers. This is how we deal with all the passwords we need.

These password rules were failed attempts to fix the user. Better we fix the security systems.

Does this mean we can stop composing our passwords like Q*bert?

Original Submission

 
This discussion has been archived. No new comments can be posted.
Changes in Password Best Practices | Log In/Create an Account | Top | 72 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Informative) by Ethanol-fueled on Tuesday October 10 2017, @11:14PM (3 children)

    by Ethanol-fueled (2792) on Tuesday October 10 2017, @11:14PM (#580145) Homepage

    Password expiration has always been pants-on-head retarded. The kind of dickheads who let others use their passwords are the same dickheads who are going to continue to let others use their passwords after they change it. Almost everybody else has a generic password and just increments a letter or digit or word or generally puts in the least effort necessary to comply with the local requirements.

    Starting Score:    1  point
    Moderation   +2  
       Insightful=1, Informative=1, Total=2
    Extra 'Informative' Modifier   0  
    Total Score:   3  

  • (Score: 3, Informative) by Anonymous Coward on Tuesday October 10 2017, @11:25PM

    by Anonymous Coward on Tuesday October 10 2017, @11:25PM (#580153)

    It dates back to old systems where you have read-access to the hashed password database.

    It has nothing to do with password sharing.

  • (Score: 1, Interesting) by Anonymous Coward on Tuesday October 10 2017, @11:35PM

    by Anonymous Coward on Tuesday October 10 2017, @11:35PM (#580157)

    Almost everybody else has a generic password and just increments a letter or digit or word or generally puts in the least effort necessary to comply with the local requirements.

    Which is why new discourse.org forums default on a policy that randomizes a strong password and force you to use it without letting you make your own.

    Going off topic, I hate discourse.org with a passion. Their shitty javascript is dog slow while at the same time every other tech support site uses them.

  • (Score: 4, Informative) by stretch611 on Tuesday October 10 2017, @11:53PM

    by stretch611 (6199) on Tuesday October 10 2017, @11:53PM (#580162)

    I remember back when I was using a system with 8 letter max passwords with forced changing every 30 days, 1 upper, 1 lower and 1 number all required. It was a mess. To get around it, I would use the 3 letter abbreviation for the month followed by the 4 digit year... Mar2005 Apr2005 May2005. (8 digit max, I think the min was 5 or 6)

    This is the exact reason why forced password changing is a bad idea.

    for the record... I use KeePassX [keepassx.org] now. It is protected with both a private key file and long passphrase.

    --
    Now with 5 covid vaccine shots/boosters altering my DNA :P