SoylentNews is people
SoylentNews
NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:
-Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.
-Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.
-Let people use password managers. This is how we deal with all the passwords we need.
These password rules were failed attempts to fix the user. Better we fix the security systems.
Does this mean we can stop composing our passwords like Q*bert?
(Score: 4, Touché) by Appalbarry on Wednesday October 11 2017, @12:56AM (4 children)
My approach to passwords begins with the question: just how critical is this site or app, and is figuring out a super-secure password really worth my time? Most forums and the like get short simple passwords because I can't see any significant damage happening if they get accessed by someone else. For those sites that I only visit once or twice a year I don't even try - I just use "Forgot Password."
Mostly I trust Chrome to keep track of my passwords. I use it on three different devices so it works fine for me. If I'm using someone else's computer I'll fall back to "Forgot Password."
There are handful of sites that I feel actually merit a serious password, and that tends to be of the Hammer56Grout$ variety - complex enough to make the little checkmarks turn green, but memorable enough to stick in my brain. Yeah, I'll reuse that for those few sites, but I also change it out every couple of months, or when one of the sites involved has been compromised.
The question I have about password managers is what happens if you're using a computer (phone, tablet...) that doesn't have one installed? Or, alternatively, what happens if your device is stolen and the thief can now access all of your accounts?
(If the answer is that you need to type in the password manager password every time you need to log in, I really can't be bothered.)
Honestly, I waver between "There's got to be a better way short of biometrics" and "on-line security is a lost cause, so why bother."
(Score: 2) by vux984 on Wednesday October 11 2017, @01:19AM
The answer to that is simple... don't. Or at least have your phone with you that has a sync'd copy of the key file.
How paranoid are you? I use "password safe" myself (on windows/linux). It automatically locks and needs the password to unlock the password file after the computer locks (either on time out or Win+L). It also can be set to automatically lock when you minimize it (i don't use this), and/or after a certain number of minutes (I do have this on but longer than the default of 5). I also sync the file between a few different computers; so *I* don't get locked out of all my accounts if one of my devices dies or goes missing.
So if my laptop were stolen, I wouldn't be too worried about it. They'd need to snatch it while it was unlocked while the password manager was unlocked. This certainly happens, but I'm usually using it. If you lock it before you leave it, it locks, and both your PC and your device need to be unlocked at the time for it to be any good to them. By the time they brute forced the password safe unlock, I'd have changed all my passwords.
On average I need to unlock the password safe a few times per day. It's not that much of a chore. And I actually have 2nd password safe for really high value passwords (banking, domain registrar, etc... and that one gets opened a lot less; so the odds of losing my banking password by my laptop being swiped out of my hands within a couple minutes of looking up my soylentnews password is basically zero. (oh who am i kidding, my SN password is in the tier where, yeah, its in the safe, but i let my browser remember it so i don't need to open the safe for it. :)
(Score: 3, Interesting) by stormwyrm on Wednesday October 11 2017, @01:26AM (2 children)
For the latter question, you need to have one very good password that you have memorized to protect your password manager. All proper password managers have the password database strongly encrypted, so a thief who steals a device with my password database on it (this has happened to me once in the past actually) will not be able to access any of my accounts unless they can also break the encryption. (By the way, after that incident I did change all the passwords for good measure.) The former question I think has an obvious answer. I use a password manager myself (KeepassX, which has versions for Linux, Windows, and Android), and the most difficult thing I haven't yet been able to hack a good solution for is how to securely distribute an up-to-date version of the password database to all of my devices and machines after I change a password. I sure as hell am not going to be putting the database on Google Drive or any other cloud, unless the "cloud" is on hardware I have physical access to and uses software I at least have some measure of control over.
Numquam ponenda est pluralitas sine necessitate.
(Score: 0) by Anonymous Coward on Wednesday October 11 2017, @10:36AM (1 child)
I think you want owncloud
https://en.wikipedia.org/wiki/OwnCloud [wikipedia.org]
(Score: 0) by Anonymous Coward on Wednesday October 11 2017, @05:26PM
you mean Nextcloud [nextcloud.com]