NIST proposes barring some of the most nonsensical password rules
NIST proposes barring some of the most nonsensical password rules
Here is the text of the NIST sp800-63b Digital Identity Guidelines.
How about making it illegal to block copying and pasting on website forms. I'm literally more likely to make a mistake by typing a routing number than copying and pasting it. The penalty for should be death by firing into the sun to anyone caught implementing any such stupidity.
Frankly I'm mostly annoyed that my browser allows web sites to block cut and paste, ever. I am capable of making my own decisions over whether I want to cut and paste.
There are plugins that will disallow this. I think the one I use is "don't fuck with paste"
Ooh, ooh. And for implementing any Javascript or jQuery or whatever that pops up some kind of smarmy message when you right click: Believe it or not, straight to jail.
Plus, that kind of thing is not going to prevent anyone from scraping images from anywhere if they have the capability to lift a finger to press F12.
Browsers shouldn't allow half of the stuff that they allow. You have to do the same thing not just with copy and paste, but also searching on the page with ctrl + f. Like I don't care that websites won't to create their own experience. Don't mess with browser behavior.
Never thought to look for an extension for that. Thanks for mentioning it.
Think of the environment!
Less Delta-V to eject them from the solar system.
Don't forget you save lots of fuel by firing out of the solar system instead
the document is nearly impossible to read all the way through and just as hard to understand fully
It is a boring document but it not impossible to read through, nor understand. The is what compliances officer do. I have a (useless) cybersecurity degree and reading NIST publications is part of my lecture.
My career as a sysadmin consistently has me veering toward security and compliance and my brain is absolutely fried on trying to figure out what these huge docs actually mean, how they apply to the things I'm responsible for and what we're supposed to do about it.
Props to all the folks that can do it without losing their mind.
Useless??? Ever since the pandemic and the need for a robust remote work infrastructure, the amount of cybersecurity related job offers has exploded. And they're very well paid where I live.
The knowledge and skill are useful, but I can't say the same for the degree
It sets both the technical requirements and recommended best practices for determining the validity of methods used to authenticate digital identities online. Organizations that interact with the federal government online are required to be in compliance
My argument is that if this document (and others) are requirements for companies shouldn't there also be a more approachable document for people to use?
Sure, have the jargon filled document that those in the know can access, but without an additional not so jargon-y document you've just added a barrier to change. Maybe just an abstract of the rule changes on the front page without the jargon?
I don't know, maybe it's not a big deal to compliance officers but just seems to me (someone that isn't a compliance officer) that obfuscating the required changes behind jargon and acronyms is going to slow adoption of the changes.
It needs to be specific to be clear for its purposes. You can express everything in simpler terms but then you risk leaving things out of definitions. It's basically legal speak.
Normally, you'd read the scope of such a document to see whether it fits your purpose, then cherry-pick the chapters necessary. If something's unclear, you can google pretty much everything.
Doing that a few times will make it infinitely easier! You especially get to understand those broad, inaccessible definitions a lot easier.
Don’t bug users to change passwords periodically. Only do it if there’s evidence of compromise.
About damn time. I log into my company laptop with a smart card and PIN or a PIN/authenticator code, computer autoconnects to the VPN, and I'm good to go. If there's no internet available, the smart card will still get me into my computer. If I'm on my personal computer, I log in with the PIN/authenticator. This morning I tried really hard to find someplace where I had the option of entering a password and there is none, yet I have to change my password every 6 months. At least my IT department lets me use KeePass.
I'll log into my home desktop and I'll get a message telling me that "it's time to reset your password!"
First of all, how dare you, on my computer? In my home?
Secondly, I don't even have a password on this thing
Eh, I think they should nag users to change their password proportional to how "strong" their password is. If you're barely meeting the minimum: reset every few months. If you're using a proper passphrase dozens of characters long: only reset if there's evidence of compromise.
One thing they should change is the word "password." This implies that it's a short string. Changing it to "passphrase" will help people feel comfortable choosing credentials like "correct horse battery staple."
I recently set up a password with a 16 character max, alphanumeric only, no spaces. The service is in no way a security threat but still.
A couple years ago I ran into one with a 12 character limit...
I never understood password limits, other than something sufficiently large like 256 to prevent DOS. It's not like the password is actually being stored anywhere... right? RIGHT??
Meanwhile, my company has systems insisting on expiring ssh keys after 90 days...
Fools! You have to expire the whole system!
Reinstall everything every 90 days. It's the only way.
You are going to give them ideas...
Ironically, reinstall the whole system, make sure to add some CrowdStrike, SolarWinds, and Ivanti for security and management though....
I'm surprised they'd expire the SSH keys rather than just requiring the password for the key to be rotated. I guess it's not too bad if the key itself is automatically rotated.
It would be more secure to have SSH keys that are stored on Yubikeys, though. Get the Yubikeys that check fingerprints (Yubikey Bio) if you're extra paranoid.
Problem they had was that ssh doesn't really have any way to enforce details of how the client key manifests and behaves. They could ship out the authentication devices after the security team trusted the public key, but that was more than they would have been willing to deal with.
Rotating the passphrase in the key wouldn't do any good anyway. If an attacker got a hold of your encrypted key to start guessing the passphrase, that instance of the key will never know that another copy has a passphrase change.
My company blocked ssh keys in favour of password + 2FA. Honestly I don’t mind the 2FA since we use yubikeys, but wouldn’t ssh key + 2FA be better?
Just store your keys on the yubikey. Problem solved.
Or use a smart card profile and go that route.
All well and good when ssh activity is anchored in a human doing interactive stuff, but not as helpful when there's a lot of headless automation that has to get from point a to point b.
We use keys + Yubikey 2FA (the long alphanumeric strings when you touch the Yubikey) at work, alhough they want to move all 2FA to Yubikey FIDO2/WebAuthn in the future since regular numeric/text 2FA codes are vulnerable to phishing. All our internal webapps already require FIDO2, as does our email (Microsoft 365).
i had to login for some functions at work. i believe the minimums were 8 characters, 1 caapitol, 1 number. and we all hated it, because the passwords had to be changed every 90 days, and you couldn't reuse passwords. eventually you are going to run out of things you can reasonably use that you could remember and then would be forced to use some sort of password manager. but OOPSIE you couldn't install any software on the office computer so you would have to resort to writing them down somewhere. it was a mess.
fortunately corporate decided to just change the entire system adopting most of these rules, min 15 characters, no special character, no hints, no forced changing passwords unless you think you have been compromised or just want to change it. we do have to use 2fa to access some things if you aren't sitting at the office computer but other than that people are much happier about passwords now.
Deleted
I would always just create 1 password and append a number and it's special char, cycling from 1 to 0; like 1!, 2@, 3#. Never stayed at a place long enough to go higher than 7 or 8.
I never gave a fuck about doing this because it's the companies fault for applying stupid policies. Whenever I've been allowed a password manager, they got real security instead of malicious compliance.
I feel like it's not a big impact on security if I use 2fa anyway. (Base password)(month)(year) is fine for me 😅
Stockholm1 (capitol)
90 days later:
Stockholm2
Interesting that unicode support is suggested. Emoji passwords could be fun.
Characters are characters. The system I just wrote will accept anything, because the first thing I do with it is hash it. If you want to make your password:
░▒▓█ ʥ۞ݔݯݲݸݴݺ '; drop table users; 🤣💩ʩ █▓▒░
Then go for it. More power to you for typing that out or, more likely, letting your password manager remember it. Make your password as entropic as you can manage, I don't care how you arrive there.
Yup. All I care is that your password isn't the entire works of Shakespeare or something like that. A couple hundred characters/bytes? You do you.
What really bothers me is when a website says something like: must have a special character, except these ones (proceeds to list everything except @ and !). And then the next one has the same rule, but different exceptions.
Passwords should be treated as a black box, just read it as bytes and throw it into the hash algorithm. You want to somehow enter a nyan cat? Be my guest, no guarantee the input box will accept it though.
Haha, and I smiled when I looking for the single quote in your password and sure it is there👍👍
my password is just 20 gigabytes of poop emojis.
Emoji passwords made me think of the Lotus Notes password prompt with their little images that changed as I typed (which never really made sense to me).
Yes, I'm old...
You heard it: stop imposing composition rules!
All this 2FA, SSH, token / key stuff is garbage. Rectal vascular mapping is the only legitimate security option.
"Please insert your webcam."
It took me a moment to notice those weren't specifically security terms...
Now this is security I can get behind! Err, in front of?
I have one in my house! 🏡 Just reverse into it and Viola! The door opens! Works for the ref too! Hands free baby!
The app my work uses to show 401k, pay, request leave, etc details, uses a ridiculous webapp that's very slow, and on top of this, they nag you literally every 4 months to update your password. I used to be a good boy and memorize a new password each time. Now I just add a new letter into BitWarden and it's my new password. Apparently this is more secure??
I just add 1 to the number at the end of my password every time they force a change.
I'm on 18 right now.
My favorite are some of the work systems that I need to access, but only infrequently, yet still have ridiculous password expiration rules. Nearly every time I log in, before I can access the system I have to change my password because of course it's expired again. So I change the password, write it down because I'll never remember it months from now when I need to use that password exactly once to login and change my password yet again.
Any password length (within reason) and any character should be allowed. It's going to be hashed and only the hash will be stored right? Length and character limits make me suspect it's being stored in plain text.
I don't know about a min length; setting a lenient lower bound means that any passwords in that space are going to be absolutely brute force-able (and because humans are lazy, there are almost certainly be passwords clustered around the minimum).
I very much agree with the rest though, it's unnerving when sites have a low max length. It almost feels like advertising that passwords aren't being hashed, and if that's the case there's a snowball's chance in hell that they're also salted. Really restrictive character sets also tell me that said site / company either has super old infra or doesn't know how to sanitize strings (or entirely likely both)...
The only justifiable reason I can see to have a length limit is because longer passwords would take more time to process and they don't want to deal with that.
Although it would only be on the order of a couple of extra microseconds and I'm not sure how much difference it would really make. But even on cyber security forums the max password length is 64 characters.
Rules here are 64 as a reasonable maximum. A lot of programmers don't realize that bcrypt and scrypt max at 72 bytes (which may or may not be the same as 72 characters). You can get around it by prehashing, but meh. This is long enough even for a reasonable passphrase scheme.
Minor note: 64 unicode characters is potentially much more than 72 bytes.
You should probably have some safeguard to prevent jokers from uploading 14.2 gigabytes of absolute nonsense into your system's password field just to see if they can make it crash. But I think limiting it to, like, 8 kB ought to be quite lenient for anything with a modern internet connection.
As others have noticed, various hashing functions have an upperbound input length limit anyway. But I don't see any pressing reason to limit your field length to exactly that, even if only not to reveal anything about what you might be feeding that value into behind the scenes.
I usually do 256 characters. That's long enough that most password managers top out anyway (mine tops out at 128), and it shouldn't ever present a DOS risk. Anything much beyond that and you'll go beyond the hash length.
At roughly 35,000 words and filled with jargon and bureaucratic terms, the document is nearly impossible to read all the way through and just as hard to understand fully.
A section devoted to passwords injects a large helping of badly needed common sense practices that challenge common policies. An example: The new rules bar the requirement that end users periodically change their passwords. This requirement came into being decades ago when password security was poorly understood, and it was common for people to choose common names, dictionary words, and other secrets that were easily guessed.
Since then, most services require the use of stronger passwords made up of randomly generated characters or phrases. When passwords are chosen properly, the requirement to periodically change them, typically every one to three months, can actually diminish security because the added burden incentivizes weaker passwords that are easier for people to set and remember.
A.k.a use a password manager for most things and a couple of long complex passwords for things that a password manager wouldn't work for (the password manager's password, encrypted system partitions, etc). I'm assuming In just summed up 35,000 words.
Cracking an 8-char on an ordinary desktop or laptop PC can still take quite a while depending on the details. Unfortunately, the existence of specialized crypto-coin-mining rigs designed to spit out hashes at high speed, plus the ability to farm things out into the cloud, means that the threat we're facing is no longer the lone hacker cracking things on his own PC.
Newer password hashing algorithms have ways of combatting this. For example, argon2 will use a large amount of memory and CPU and can be tuned for execution time. So theoretically you could configure it to take 0.5 seconds per hash calculation and use 1 GB or more of ram. That's going to be extremely difficult to bruteforce 8 characters.
The trade-off is it will take a second or two to login each time, but if you've got some secondary pin system in place for frequent reauthentication, it can be a pretty good setup.
Another disadvantage is the algorithm effectively gets less secure the less powerful your local device is. Calculating that same 0.5s hash on a beefy server vs your phone could make it take way longer or even impossible without enough ram.
Reworded rules for clarity:
I was expecting idiotic rules screaming "bureaucratic muppets don't know what they're legislating on", but instead what I'm seeing is surprisingly sane and sensible.
NIST generally knows what they're doing. Want to overwrite a hard drive securely? NIST 800-88 has you covered. Need a competition for a new block cipher? NIST ran that and AES came out of it. Same for a new hash with SHA3.
For now, at least. Could change after Inauguration Day.
Didn’t know about sha3.
I hate that anyone has to be told not to truncate passwords. Like even if you haven't had any training at all, you'd have to be advanced stupid to even come up with that idea in the first place.
Microsoft used to do that. I made a password in the late 90's for a we service and I found out that it truncated my password when they made it after it warned my my password was too long when I tried to log in. It truncated at 16 characters.
It needed to be said. Because some password system architects have been just that stupid.
Edit: Fear of other's stupidity is the mind killer. I will face my fear. My fear will wash over me, and when it has passed, only I will remain. Or I'll be dead in a car accident caused by an AI driver.
I've seen sites truncate when setting, but not on checking. So you set a password on a site with no stated limit, go to use said password, and get locked out. It's infuriating
This is a big one. Especially in corporate environments where most of the users are, shall we say, not tech savvy. Forcing people to comply with byzantine incomprehensible password composition rules plus incessantly insisting that they change their password every 7/14/30 days to a new inscrutable string that looks like somebody sneezed in punctuation marks accomplishes nothing other than enticing everyone to just write their password down on a Post-It and stick it to their monitor or under their keyboard.
Remember: Users do not care about passwords. From the perspective of anyone who isn't a programmer or a security expert, passwords are just yet another exasperating roadblock some nerd keeps putting in front of them that is preventing them from doing whatever it is they were actually trying to do.
Only issue I see is that the 8 chars required is very short and easy to brute force. You would hope that people would go for the recommended instead, but doubt it.
re #7, I hope they are also saying no 'secret questions' to reset the password?
Yeah, I think 7 and 8 both cover that. I recently signed up for an account where all of the "security questions" provided asked about things that could be either looked up or reasonably guessed based on looked up information.
We live in a tech world designed for the technically illiterate.
I think so, based on the original: "Verifiers and CSPs [credential service providers] SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant." With "shall not" being used for hard prohibitions.
NIST knows what they're doing. It's getting organizations to adapt that's hard. NIST has recommended against expiring passwords for like a decade already, for example, yet pretty much every IT dept still has passwords expiring at least once a year.
That stipulation goes rather close to #5, even not being a composition rule.EDIT: see below.I think that a better approach is to follow the recommended min length (15 chars), unless there are good reasons to lower it and you're reasonably sure that your delay between failed password attempts works flawlessly.
EDIT: as I was re-reading the original, I found the relevant excerpt:
So they are requiring CSPs to do what you said, and check it against a list of compromised passwords. However they aren't associating it with password length; on that, the Appendix 2 basically says that min length depends on the threat model being addressed; as in, if it's just some muppet trying passwords online versus trying it offline.
Hmm. I wonder about this one. Different ways to encode the same character. Different ways to calculate the length. No obvious max byte size.
Who cares? It's going to be hashed anyway. If the same user can generate the same input, it will result in the same hash. If another user can't generate the same input, well, that's really rather the point. And I can't think of a single backend, language, or framework that doesn't treat a single Unicode character as one character. Byte length of the character is irrelevant as long as you're not doing something ridiculous like intentionally parsing your input in binary and blithely assuming that every character must be 8 bits in length.
It's crazy that they didn't include all the "should" items in that list. If you read the entire section, there's a critical element that's missing in the list, which is that new passwords should be checked against blocklists. Otherwise, if you combine 1, 5, and 6, you end up with people using "password" as their password, and keeping that forever. Really, really poor organization on their part. I'm already fighting this at work.
What kind of barbarian puts a space in their password?
Very common for pass phrases, and not dissuaded. Pass phrases are good for people to remember without using poor storage practices (post it notes, txt file, etc) and are strong enough to keep secure against brute force attacks or just guessing based off knowledge of the user.
Deleted
gosh who would want an uncommon character that obviously most average people aren’t thinking about in their passwords, that sounds like it might even be somewhat secure.
My passphrase includes several spaces. It's another character to assist in entropy.
I'm with you, despite seeing lemmings downvote the heck out of your comment 😢
The reason, and specifically for whitespace at the beginning or end of a password, is that a lot of users copy-paste their passwords into the form, and for various reasons, whitespace can get pasted in, causing an invalid match. No bueno.
Source: I'm a web developer who has seen this enough times that we had to implement a whitespace-trim validation for both setting & entering passwords.
I think it's pretty idiotic to
They might mean well, but the reason we require a special character and number is to ensure the amount of possible characters are increased.
If a website doesn't enforce it, people are just going to do a password like password
password is a totally valid password under this rule. Any 8 letter word is valid. hopsital for example.
These passwords can be cracked in
secondsunder 10 minutes, and have their hashes checked for in leaks in no time if the salt is also exposed in the hack.Edit: Below
Numbers from a calculator with 8 characters using sha2 (ignoring that crackers will try obvious fill ins like 0 for o and words before random characters, this is just for example)
hospital 5m 23s
Hospital 10m 47s
Hospita! 39m 12s
Moving beyond 8
Hospita!r - 19h 49m
Hospita!ro 3w 4d
Hospita!roo 2y 1m
Hospita!room 66 years
The suggestion of multiple random words makes not needing the characters but you have to enforce a longer limit then, not 8.
At least with 11 characters with upper case and special characters if it was all random you get about 2 years after a breach to do something instead of mere weeks. If it was 11 characters all lower case nothing special you'd only get 2 months and we are rarely notified that fast.
The problem with this sort of requirement is that most people will solve it the laziest way. In this case, "ah, I can't use «hospital»? Mkay, «Hospital1» it is! Yay it's accepted!". And then there's zero additional entropy - because the first char still has 26 states, and the additional char has one state.
Someone could of course "solve" this by inserting even further rules, like "you must have at least one number and one capital letter inside the password", but then you get users annotating the password in a .txt file because it's too hard to remember where they capitalised it or did their 1337.
Instead just skip all those silly rules. If offline attacks are such a concern, increase the min pass length. Using both lengths provided by the guidelines: