NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:
-Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.
-Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.
-Let people use password managers. This is how we deal with all the passwords we need.
These password rules were failed attempts to fix the user. Better we fix the security systems.
Does this mean we can stop composing our passwords like Q*bert?
(Score: 3, Interesting) by stormwyrm on Wednesday October 11 2017, @01:26AM (2 children)
For the latter question, you need to have one very good password that you have memorized to protect your password manager. All proper password managers have the password database strongly encrypted, so a thief who steals a device with my password database on it (this has happened to me once in the past actually) will not be able to access any of my accounts unless they can also break the encryption. (By the way, after that incident I did change all the passwords for good measure.) The former question I think has an obvious answer. I use a password manager myself (KeepassX, which has versions for Linux, Windows, and Android), and the most difficult thing I haven't yet been able to hack a good solution for is how to securely distribute an up-to-date version of the password database to all of my devices and machines after I change a password. I sure as hell am not going to be putting the database on Google Drive or any other cloud, unless the "cloud" is on hardware I have physical access to and uses software I at least have some measure of control over.
Numquam ponenda est pluralitas sine necessitate.
(Score: 0) by Anonymous Coward on Wednesday October 11 2017, @10:36AM (1 child)
I think you want owncloud
https://en.wikipedia.org/wiki/OwnCloud [wikipedia.org]
(Score: 0) by Anonymous Coward on Wednesday October 11 2017, @05:26PM
you mean Nextcloud [nextcloud.com]