Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

Changes in Password Best Practices

posted by mrpg on Tuesday October 10 2017, @09:30PM   Printer-friendly
from the gud1dea dept.

Phoenix666 writes:

Schneier on Security:

NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:

-Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.

-Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.

-Let people use password managers. This is how we deal with all the passwords we need.

These password rules were failed attempts to fix the user. Better we fix the security systems.

Does this mean we can stop composing our passwords like Q*bert?

Original Submission

 
This discussion has been archived. No new comments can be posted.
Changes in Password Best Practices | Log In/Create an Account | Top | 72 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Interesting) by stormwyrm on Wednesday October 11 2017, @01:26AM (2 children)

    by stormwyrm (717) on Wednesday October 11 2017, @01:26AM (#580205) Journal

    The question I have about password managers is what happens if you're using a computer (phone, tablet...) that doesn't have one installed? Or, alternatively, what happens if your device is stolen and the thief can now access all of your accounts?

    For the latter question, you need to have one very good password that you have memorized to protect your password manager. All proper password managers have the password database strongly encrypted, so a thief who steals a device with my password database on it (this has happened to me once in the past actually) will not be able to access any of my accounts unless they can also break the encryption. (By the way, after that incident I did change all the passwords for good measure.) The former question I think has an obvious answer. I use a password manager myself (KeepassX, which has versions for Linux, Windows, and Android), and the most difficult thing I haven't yet been able to hack a good solution for is how to securely distribute an up-to-date version of the password database to all of my devices and machines after I change a password. I sure as hell am not going to be putting the database on Google Drive or any other cloud, unless the "cloud" is on hardware I have physical access to and uses software I at least have some measure of control over.

    --
    Numquam ponenda est pluralitas sine necessitate.
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 0) by Anonymous Coward on Wednesday October 11 2017, @10:36AM (1 child)

    by Anonymous Coward on Wednesday October 11 2017, @10:36AM (#580376)

    I think you want owncloud
    https://en.wikipedia.org/wiki/OwnCloud [wikipedia.org]

    • (Score: 0) by Anonymous Coward on Wednesday October 11 2017, @05:26PM

      by Anonymous Coward on Wednesday October 11 2017, @05:26PM (#580597)

      you mean Nextcloud [nextcloud.com]