Here is the text of the NIST sp800-63b Digital Identity Guidelines.

  • Lvxferre@mander.xyz
    link
    fedilink
    English
    arrow-up
    328
    ·
    2 months ago

    Reworded rules for clarity:

    1. Min required length must be 8 chars (obligatory), but it should be 15 chars (recommended).
    2. Max length should allow at least 64 chars.
    3. You should accept all ASCII plus space.
    4. You should accept Unicode; if doing so, you must count each code as one char.
    5. Don’t demand composition rules (e.g. “u’re password requires a comma! lol lmao haha” tier idiocy)
    6. Don’t bug users to change passwords periodically. Only do it if there’s evidence of compromise.
    7. Don’t store password hints that others can guess.
    8. Don’t prompt the user to use knowledge-based authentication.
    9. Don’t truncate passwords for verification.

    I was expecting idiotic rules screaming “bureaucratic muppets don’t know what they’re legislating on”, but instead what I’m seeing is surprisingly sane and sensible.

    • frezik@midwest.social
      link
      fedilink
      English
      arrow-up
      112
      arrow-down
      1
      ·
      2 months ago

      NIST generally knows what they’re doing. Want to overwrite a hard drive securely? NIST 800-88 has you covered. Need a competition for a new block cipher? NIST ran that and AES came out of it. Same for a new hash with SHA3.

      • grue@lemmy.world
        link
        fedilink
        English
        arrow-up
        26
        arrow-down
        1
        ·
        2 months ago

        NIST generally knows what they’re doing

        For now, at least. Could change after Inauguration Day.

      • M500
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        1
        ·
        2 months ago

        Didn’t know about sha3.

    • MajorHavoc@programming.dev
      link
      fedilink
      English
      arrow-up
      50
      ·
      edit-2
      2 months ago
      1. Don’t truncate passwords for verification.

      It needed to be said. Because some password system architects have been just that stupid.

      Edit: Fear of other’s stupidity is the mind killer. I will face my fear. My fear will wash over me, and when it has passed, only I will remain. Or I’ll be dead in a car accident caused by an AI driver.

      • Dhs92@programming.dev
        link
        fedilink
        English
        arrow-up
        50
        ·
        2 months ago

        I’ve seen sites truncate when setting, but not on checking. So you set a password on a site with no stated limit, go to use said password, and get locked out. It’s infuriating

        • Ashelyn@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          22
          ·
          edit-2
          2 months ago

          Years back, I had that happen on PayPal of all websites. Their account creation and reset pages silently and automatically truncated my password to 16 chars or something before hashing, but the actual login page didn’t, so the password didn’t work at all unless I backspaced it to the character limit. I forgot how I even found that out but it was a very frustrating few hours.

          • orclev@lemmy.world
            link
            fedilink
            English
            arrow-up
            5
            ·
            2 months ago

            Banks usually have the absolute worst password policies. It’s typically because their backend is some crusty mainframe from the 80s that limits inputs to something absurdly insecure by today’s standards and they’ve kicked the upgrade can down the road for so long now that it’s a staggeringly monumental task to rewrite it all. Thankfully most of them have upgraded at this point, but every now and then you still find one that’s got ridiculous limits like a maximum password length of 8 and only alphanumeric characters (with no 2FA obviously).

        • BrianTheeBiscuiteer@lemmy.world
          link
          fedilink
          English
          arrow-up
          7
          ·
          2 months ago

          Another ridiculous policy I’ve seen (many years ago) is logging in too fast. I used to get locked out of my banks website all the time and I used autotype with KeePass so I was baffled when it wouldn’t get accepted. Eventually I had a thought to slow down the typing mechanism and suddenly I didn’t get locked out anymore.

    • dual_sport_dork 🐧🗡️@lemmy.world
      link
      fedilink
      English
      arrow-up
      36
      ·
      edit-2
      2 months ago

      Don’t bug users to change passwords periodically. Only do it if there’s evidence of compromise.

      This is a big one. Especially in corporate environments where most of the users are, shall we say, not tech savvy. Forcing people to comply with byzantine incomprehensible password composition rules plus incessantly insisting that they change their password every 7/14/30 days to a new inscrutable string that looks like somebody sneezed in punctuation marks accomplishes nothing other than enticing everyone to just write their password down on a Post-It and stick it to their monitor or under their keyboard.

      Remember: Users do not care about passwords. From the perspective of anyone who isn’t a programmer or a security expert, passwords are just yet another exasperating roadblock some nerd keeps putting in front of them that is preventing them from doing whatever it is they were actually trying to do.

      • Starbuncle@lemmy.ca
        link
        fedilink
        English
        arrow-up
        32
        ·
        2 months ago

        Everyone I’ve spoken to who has a password change rule just changes one character from their previous password. It does NOTHING.

        • dual_sport_dork 🐧🗡️@lemmy.world
          link
          fedilink
          English
          arrow-up
          21
          ·
          2 months ago

          That works great until some dickhole implements the old, “New password cannot contain any sequence from your previous (5) passwords.”

          This also of course necessitates storing (multiple successive!) passwords in plain text or with a reversible cipher, which is another stupid move. You’d think we’d have gotten all of this out of our collective system as a society by now, and yet I still see it all the time.

          All of these schemes are just security theater, and actively make the system in question less secure while accomplishing nothing other than berating and frustrating its users.

          • dgmib@lemmy.world
            link
            fedilink
            English
            arrow-up
            8
            ·
            edit-2
            2 months ago

            This also leads to stupid rules like you can’t change your password more than once a day, to prevent someone from changing their password 5 times and then changing it back to what it was before.

          • Starbuncle@lemmy.ca
            link
            fedilink
            English
            arrow-up
            8
            ·
            2 months ago

            HA, I hope you’re joking. Surely nobody’s actually done that, right? …Riiiight?

    • Tanoh@lemmy.world
      link
      fedilink
      English
      arrow-up
      13
      ·
      2 months ago

      Only issue I see is that the 8 chars required is very short and easy to brute force. You would hope that people would go for the recommended instead, but doubt it.

      • Buddahriffic@lemmy.world
        link
        fedilink
        English
        arrow-up
        13
        ·
        2 months ago

        Yeah, I think 7 and 8 both cover that. I recently signed up for an account where all of the “security questions” provided asked about things that could be either looked up or reasonably guessed based on looked up information.

        We live in a tech world designed for the technically illiterate.

        • eronth@lemmy.world
          link
          fedilink
          English
          arrow-up
          10
          ·
          edit-2
          2 months ago

          I usually invent answers to those and store those answers in a password manager. Essentially turns them into backup passwords that can be spoken over the phone if necessary.

          Where was I born? “Stallheim, EUSA, Mars”

          Name of first pet? “Groovy Tuesday”

          It’s fun, usually.

          • Buddahriffic@lemmy.world
            link
            fedilink
            English
            arrow-up
            5
            ·
            2 months ago

            I tried that without a password manager for a little while. But then my answers were too abstract to remember, so now I also use a password manager for that.

          • subtext@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            ·
            2 months ago

            What is the first name of your first best friend?

            eoY&Z9m4LNRDY!Gzdd%q98LYiBi8Nq

            Oh old eoY&Z9m4LNRDY!Gzdd%q98LYiBi8Nq and I go way back! I met eoY&Z9m4LNRDY!Gzdd%q98LYiBi8Nq in Pre-K and we’ve been inseparable ever since.

            It is quite annoying if they’re a service that makes you read aloud your security questions to phone reps to prove your identity. One of my retirement accounts requires that and I have to sigh and read out the full string. I’ve changed it since to an all lowercase, 20 digit string as a compromise.

            • NotMyOldRedditName@lemmy.world
              link
              fedilink
              English
              arrow-up
              5
              ·
              edit-2
              2 months ago

              20 character all lowercase is very secure as long as its random words / letters that would make it unguessable by knowing you.

              Edit: you could also prefix it if you think you’d have to read it

              “This question is stupid fuck nuts house gravel neptune cow.”

        • frezik@midwest.social
          link
          fedilink
          English
          arrow-up
          5
          ·
          2 months ago

          Sarah Palin had her Yahoo mail account hacked because of those “security” questions. In 2008. We should be well past the time where they are a thing.

          • Buddahriffic@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            2 months ago

            Q: What do you often see when you look out your back window?

            A: Vladimir Putin riding a horse shirtless.

            Hey maybe the GOP got connected with Putin because he was often at Palin’s backyard BBQs when he would ride over to say hi when he saw the gathering.

            Though I also just noticed there’s only two letters different between Putin and Palin… Maybe it was just Putin in a wig the whole time.

      • Lvxferre@mander.xyz
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        I think so, based on the original: “Verifiers and CSPs [credential service providers] SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.” With “shall not” being used for hard prohibitions.

    • hamsterkill@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      11
      ·
      2 months ago

      I was expecting idiotic rules screaming “bureaucratic muppets don’t know what they’re legislating on”, but instead what I’m seeing is surprisingly sane and sensible

      NIST knows what they’re doing. It’s getting organizations to adapt that’s hard. NIST has recommended against expiring passwords for like a decade already, for example, yet pretty much every IT dept still has passwords expiring at least once a year.

    • cybersandwich@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      ·
      2 months ago

      I think if you do allow 8 character passwords the only stipulation is that you check it against known compromised password lists. Again, pretty reasonable.

      • Lvxferre@mander.xyz
        link
        fedilink
        English
        arrow-up
        6
        ·
        edit-2
        2 months ago

        That stipulation goes rather close to #5, even not being a composition rule. EDIT: see below.

        I think that a better approach is to follow the recommended min length (15 chars), unless there are good reasons to lower it and you’re reasonably sure that your delay between failed password attempts works flawlessly.

        EDIT: as I was re-reading the original, I found the relevant excerpt:

        If the CSP [credential service provider] disallows a chosen password because it is on a blocklist of commonly used, expected, or compromised values (see Sec. 3.1.1.2), the subscriber SHALL be required to choose a different password. Other complexity requirements for passwords SHALL NOT be imposed. A rationale for this is presented in Appendix A, Strength of Passwords.

        So they are requiring CSPs to do what you said, and check it against a list of compromised passwords. However they aren’t associating it with password length; on that, the Appendix 2 basically says that min length depends on the threat model being addressed; as in, if it’s just some muppet trying passwords online versus trying it offline.

    • General_Effort@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      2 months ago

      You should accept Unicode; if doing so, you must count each code as one char.

      Hmm. I wonder about this one. Different ways to encode the same character. Different ways to calculate the length. No obvious max byte size.

      • dual_sport_dork 🐧🗡️@lemmy.world
        link
        fedilink
        English
        arrow-up
        10
        ·
        2 months ago

        Who cares? It’s going to be hashed anyway. If the same user can generate the same input, it will result in the same hash. If another user can’t generate the same input, well, that’s really rather the point. And I can’t think of a single backend, language, or framework that doesn’t treat a single Unicode character as one character. Byte length of the character is irrelevant as long as you’re not doing something ridiculous like intentionally parsing your input in binary and blithely assuming that every character must be 8 bits in length.

        • frezik@midwest.social
          link
          fedilink
          English
          arrow-up
          5
          ·
          2 months ago

          It matters for bcrypt/scrypt. They have a 72 byte limit. Not characters, bytes.

          That said, I also think it doesn’t matter much. Reasonable length passphrases that could be covered by the old Latin-1 charset can easily fit in that. If you’re talking about KJC languages, then each character is actually a whole word, and you’re packing a lot of entropy into one character. 72 bytes is already beyond what’s needed for security; it’s diminishing returns at that point.

        • General_Effort@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          If the same user can generate the same input, it will result in the same hash.

          Yes, if. I don’t know if you can guarantee that. It’s all fun and games as long as you’re doing English. In other languages, you get characters that can be encoded in more than 1 way. User at home has a localized keyboard with a dedicated key for such a character. User travels across the border and has a different language keyboard and uses a different way to create the character. Euro problems.

          https://en.wikipedia.org/wiki/Unicode_equivalence

          Byte length of the character is irrelevant as long as you’re not doing something ridiculous like intentionally parsing your input in binary and blithely assuming that every character must be 8 bits in length.

          There is always some son-of-a-removed who doesn’t get the word.

          • John F. Kennedy
    • turtle@lemm.ee
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 months ago

      It’s crazy that they didn’t include all the “should” items in that list. If you read the entire section, there’s a critical element that’s missing in the list, which is that new passwords should be checked against blocklists. Otherwise, if you combine 1, 5, and 6, you end up with people using “password” as their password, and keeping that forever. Really, really poor organization on their part. I’m already fighting this at work.

    • NotMyOldRedditName@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      2 months ago

      I think it’s pretty idiotic to

      Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.

      They might mean well, but the reason we require a special character and number is to ensure the amount of possible characters are increased.

      If a website doesn’t enforce it, people are just going to do a password like password

      password is a totally valid password under this rule. Any 8 letter word is valid. hopsital for example.

      These passwords can be cracked in seconds under 10 minutes, and have their hashes checked for in leaks in no time if the salt is also exposed in the hack.

      Edit: Below

      Numbers from a calculator with 8 characters using sha2 (ignoring that crackers will try obvious fill ins like 0 for o and words before random characters, this is just for example)

      hospital 5m 23s

      Hospital 10m 47s

      Hospita! 39m 12s

      Moving beyond 8

      Hospita!r - 19h 49m

      Hospita!ro 3w 4d

      Hospita!roo 2y 1m

      Hospita!room 66 years

      The suggestion of multiple random words makes not needing the characters but you have to enforce a longer limit then, not 8.

      At least with 11 characters with upper case and special characters if it was all random you get about 2 years after a breach to do something instead of mere weeks. If it was 11 characters all lower case nothing special you’d only get 2 months and we are rarely notified that fast.

      • Lvxferre@mander.xyz
        link
        fedilink
        English
        arrow-up
        3
        ·
        2 months ago

        They might mean well, but the reason we require a special character and number is to ensure the amount of possible characters are increased.

        The problem with this sort of requirement is that most people will solve it the laziest way. In this case, “ah, I can’t use «hospital»? Mkay, «Hospital1» it is! Yay it’s accepted!”. And then there’s zero additional entropy - because the first char still has 26 states, and the additional char has one state.

        Someone could of course “solve” this by inserting even further rules, like “you must have at least one number and one capital letter inside the password”, but then you get users annotating the password in a .txt file because it’s too hard to remember where they capitalised it or did their 1337.

        Instead just skip all those silly rules. If offline attacks are such a concern, increase the min pass length. Using both lengths provided by the guidelines:

        • 8 chars, mixing:minuscules, capitals, digits, and any 20 special chars of your choice, for a total of 82 states per char. 82⁸ = 2*10¹⁵ states per password.
        • 15 chars, using only minuscules, for a total of 26 states per char. Number of states: 26¹⁵ = 1.7*10²¹ states per password.
        • NotMyOldRedditName@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          2 months ago

          But they mess that up with their 8 char rule

          Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.

          I’d they’d just said shall require 15 but not require special chars then that’s okay, but they didn’t.

          Then you end up with the typical shitty manager who sees this, and says they recommend 8 and no special chars, and that’s what it becomes.

          • Lvxferre@mander.xyz
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 months ago

            I don’t think that the entity should be blamed for the shitty manager. Specially given that the document has a full section (appendix A.2) talking about pass length.

            • NotMyOldRedditName@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              edit-2
              2 months ago

              The entity knows people will follow what they say for minimums. There’s already someone in the comment section saying they’re now fighting what these lax rules allow.

              Edit: stupid product managers will jump at anything that makes it easier for their users and dropping it to 8, no special characters, and no resets is the new thing now.

              • Lvxferre@mander.xyz
                link
                fedilink
                English
                arrow-up
                1
                ·
                2 months ago

                What you’re proposing is effectively the same as "they should publish inaccurate guidelines that do not actually represent their informed views on the matter, misleading everybody, to pretend that they can prevent the stupid from being stupid." It defeats the very reason why guidelines exist - to guide you towards the optimal approach in a given situation.

                And sometimes the optimal approach is not a bigger min length. Convenience and possible vectors of attack play a huge role; if

                • due to some input specificity, typing out the password is cumbersome, and
                • there’s no reasonable way to set up a password manager in that device, and
                • your blocklist of compromised passwords is fairly solid, and
                • you’re reasonably sure that offline attacks won’t work against you, then

                min 8 chars is probably better. Even if that shitty manager, too dumb to understand that he shouldn’t contradict the “SHOULD [NOT]” points without a good reason to do so, screws it up. (He’s likely also violating the “SHALL [NOT]” points, since he used the printed copy of the guidelines as toilet paper.)

      • naticus@lemmy.world
        link
        fedilink
        English
        arrow-up
        42
        ·
        2 months ago

        Very common for pass phrases, and not dissuaded. Pass phrases are good for people to remember without using poor storage practices (post it notes, txt file, etc) and are strong enough to keep secure against brute force attacks or just guessing based off knowledge of the user.

        • grue@lemmy.world
          link
          fedilink
          English
          arrow-up
          9
          ·
          2 months ago

          On one hand, that’s true. On the other hand, a person should only need exactly one passphrase, which is the one used to unlock their password manager. Every other password should be randomly-generated and would only contain space characters by chance.

          • naticus@lemmy.world
            link
            fedilink
            English
            arrow-up
            18
            ·
            2 months ago

            That’s great in theory, but you’ll have passwords for logging into OSes too which password managers do not help with and you better have it memorized or you’re going to have a bad time.

          • dual_sport_dork 🐧🗡️@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            2 months ago

            That’s the “zero width space,” Alt + 200B for Windows users. Another favorite of mine is the nonbreaking space, Alt + 0160, which a staggering majority of web sites and other systems fail to account for.

      • rebelsimile@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        16
        arrow-down
        1
        ·
        2 months ago

        gosh who would want an uncommon character that obviously most average people aren’t thinking about in their passwords, that sounds like it might even be somewhat secure.

      • portifornia@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        I’m with you, despite seeing lemmings downvote the heck out of your comment 😢

        The reason, and specifically for whitespace at the beginning or end of a password, is that a lot of users copy-paste their passwords into the form, and for various reasons, whitespace can get pasted in, causing an invalid match. No bueno.

        Source: I’m a web developer who has seen this enough times that we had to implement a whitespace-trim validation for both setting & entering passwords.

        • orclev@lemmy.world
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          1
          ·
          2 months ago

          Trimming whitespace from the start and end of a password is fine but you absolutely should not remove whitespace from the middle of a password.

  • VantaBrandon@lemmy.world
    link
    fedilink
    English
    arrow-up
    88
    ·
    2 months ago

    How about making it illegal to block copying and pasting on website forms. I’m literally more likely to make a mistake by typing a routing number than copying and pasting it. The penalty for should be death by firing into the sun to anyone caught implementing any such stupidity.

    • johannesvanderwhales@lemmy.world
      link
      fedilink
      English
      arrow-up
      70
      ·
      2 months ago

      Frankly I’m mostly annoyed that my browser allows web sites to block cut and paste, ever. I am capable of making my own decisions over whether I want to cut and paste.

      There are plugins that will disallow this. I think the one I use is “don’t fuck with paste”

      • dual_sport_dork 🐧🗡️@lemmy.world
        link
        fedilink
        English
        arrow-up
        15
        ·
        2 months ago

        Ooh, ooh. And for implementing any Javascript or jQuery or whatever that pops up some kind of smarmy message when you right click: Believe it or not, straight to jail.

        Plus, that kind of thing is not going to prevent anyone from scraping images from anywhere if they have the capability to lift a finger to press F12.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          2 months ago

          Exactly.

          My host decided to update their TOS to force me to accept binding arbitration, so I Inspect Elemented that right off the page and sent a message to support to end my service effective immediately (had been a paying customer for years). You’re not going to bully me on my own browser…

      • D_Air1
        link
        fedilink
        English
        arrow-up
        13
        ·
        2 months ago

        Browsers shouldn’t allow half of the stuff that they allow. You have to do the same thing not just with copy and paste, but also searching on the page with ctrl + f. Like I don’t care that websites won’t to create their own experience. Don’t mess with browser behavior.

        • JustARaccoon@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          5
          ·
          2 months ago

          You really want to memorise different shortcuts for search? What if you’re on a web app like discord? Ctrl+f isn’t gonna be as useful as a built in search solution that has access to data that isn’t visible until searched for. I get the issues on disabling the features but if they’re replacing browser behaviour with something that suits the site better I think that’s alright as long as it’s not s downgrade.

          • D_Air1
            link
            fedilink
            English
            arrow-up
            3
            ·
            2 months ago

            All too often it is a downgrade though. A lot of those webapps have terrible search and I only want to search for what is on the current page anyways. For example reddit search has been notoriously bad for a long time. Half the forums online seem to be using the exact same open source software with the exact same terrible search. When all too often I just want to find what is on the current page anyways.

    • Daemon Silverstein@thelemmy.club
      link
      fedilink
      English
      arrow-up
      16
      ·
      2 months ago

      I circumvent that by right-clicking, then choosing “Inspect element”, then switching to the tab “Console”, then typing $0.value = “TheValueIWantToPaste”. If right-clicking is also disabled, I use either F12 or Tools menu > DevTools.

          • xthexder@l.sw0.com
            link
            fedilink
            English
            arrow-up
            4
            ·
            2 months ago

            And here I wrote an AutoHotKey script to type out my clipboard a character at a time so I can paste stuff into this remote desktop software I’m using that doesn’t support paste…

            It’s kinda necessary when the server’s unlock password is 256 characters long and completely random.

            • GreenKnight23@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              2 months ago

              if it’s citrix you used to be able to modify the local connection config file to allow access to the clipboard regardless of what the server allowed.

              been a few years since I needed to do it, but it was possible at one time.

        • Daemon Silverstein@thelemmy.club
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          Sometimes it’s not “readonly”, but a Javascript thing that “event.preventDefault()” and “return false” during the “onpaste” event. As the event is generally set using elm.addEventListener instead of setting elm.onpaste, it’s not possible to remove the listener, as it’d need the reference for the handler function that was set to handle the mentioned JS event. So simply setting the value directly using elm.value bypasses the onpaste event.

    • a2part2@lemmy.zip
      link
      fedilink
      English
      arrow-up
      7
      ·
      2 months ago

      Think of the environment!

      Less Delta-V to eject them from the solar system.

    • kalpol@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 months ago

      Don’t forget you save lots of fuel by firing out of the solar system instead

  • umami_wasabi
    link
    fedilink
    English
    arrow-up
    84
    ·
    edit-2
    2 months ago

    the document is nearly impossible to read all the way through and just as hard to understand fully

    It is a boring document but it not impossible to read through, nor understand. The is what compliances officer do. I have a (useless) cybersecurity degree and reading NIST publications is part of my lecture.

    • Toribor@corndog.social
      link
      fedilink
      English
      arrow-up
      27
      ·
      2 months ago

      My career as a sysadmin consistently has me veering toward security and compliance and my brain is absolutely fried on trying to figure out what these huge docs actually mean, how they apply to the things I’m responsible for and what we’re supposed to do about it.

      Props to all the folks that can do it without losing their mind.

      • umami_wasabi
        link
        fedilink
        English
        arrow-up
        9
        ·
        edit-2
        2 months ago

        You need to first understand the grand structure of the doc, then cherry pick the content to action points. At least that’s how I do it.

    • ISOmorph@feddit.org
      link
      fedilink
      English
      arrow-up
      6
      ·
      2 months ago

      Useless??? Ever since the pandemic and the need for a robust remote work infrastructure, the amount of cybersecurity related job offers has exploded. And they’re very well paid where I live.

      • umami_wasabi
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        2 months ago

        The knowledge and skill are useful, but I can’t say the same for the degree

    • GoofSchmoofer@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      It sets both the technical requirements and recommended best practices for determining the validity of methods used to authenticate digital identities online. Organizations that interact with the federal government online are required to be in compliance

      My argument is that if this document (and others) are requirements for companies shouldn’t there also be a more approachable document for people to use?

      Sure, have the jargon filled document that those in the know can access, but without an additional not so jargon-y document you’ve just added a barrier to change. Maybe just an abstract of the rule changes on the front page without the jargon?

      I don’t know, maybe it’s not a big deal to compliance officers but just seems to me (someone that isn’t a compliance officer) that obfuscating the required changes behind jargon and acronyms is going to slow adoption of the changes.

      • 0xD@infosec.pub
        link
        fedilink
        English
        arrow-up
        4
        ·
        2 months ago

        It needs to be specific to be clear for its purposes. You can express everything in simpler terms but then you risk leaving things out of definitions. It’s basically legal speak.

        Normally, you’d read the scope of such a document to see whether it fits your purpose, then cherry-pick the chapters necessary. If something’s unclear, you can google pretty much everything.

        Doing that a few times will make it infinitely easier! You especially get to understand those broad, inaccessible definitions a lot easier.

  • Madblood@lemmy.world
    link
    fedilink
    English
    arrow-up
    41
    ·
    2 months ago

    Don’t bug users to change passwords periodically. Only do it if there’s evidence of compromise.

    About damn time. I log into my company laptop with a smart card and PIN or a PIN/authenticator code, computer autoconnects to the VPN, and I’m good to go. If there’s no internet available, the smart card will still get me into my computer. If I’m on my personal computer, I log in with the PIN/authenticator. This morning I tried really hard to find someplace where I had the option of entering a password and there is none, yet I have to change my password every 6 months. At least my IT department lets me use KeePass.

    • turtletracks@lemmy.zip
      link
      fedilink
      English
      arrow-up
      5
      ·
      edit-2
      2 months ago

      I’ll log into my home desktop and I’ll get a message telling me that “it’s time to reset your password!”

      First of all, how dare you, on my computer? In my home?

      Secondly, I don’t even have a password on this thing

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      edit-2
      2 months ago

      Eh, I think they should nag users to change their password proportional to how “strong” their password is. If you’re barely meeting the minimum: reset every few months. If you’re using a proper passphrase dozens of characters long: only reset if there’s evidence of compromise.

  • Semi-Hemi-Lemmygod@lemmy.world
    link
    fedilink
    English
    arrow-up
    39
    ·
    2 months ago

    One thing they should change is the word “password.” This implies that it’s a short string. Changing it to “passphrase” will help people feel comfortable choosing credentials like “correct horse battery staple.”

    • Soggy@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      2 months ago

      I recently set up a password with a 16 character max, alphanumeric only, no spaces. The service is in no way a security threat but still.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        6
        ·
        edit-2
        2 months ago

        A couple years ago I ran into one with a 12 character limit…

        I never understood password limits, other than something sufficiently large like 256 to prevent DOS. It’s not like the password is actually being stored anywhere… right? RIGHT??

  • jj4211@lemmy.world
    link
    fedilink
    English
    arrow-up
    32
    ·
    2 months ago

    Meanwhile, my company has systems insisting on expiring ssh keys after 90 days…

      • jj4211@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        2 months ago

        You are going to give them ideas…

        Ironically, reinstall the whole system, make sure to add some CrowdStrike, SolarWinds, and Ivanti for security and management though…

    • TBi@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      2 months ago

      My company blocked ssh keys in favour of password + 2FA. Honestly I don’t mind the 2FA since we use yubikeys, but wouldn’t ssh key + 2FA be better?

      • jj4211@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 months ago

        All well and good when ssh activity is anchored in a human doing interactive stuff, but not as helpful when there’s a lot of headless automation that has to get from point a to point b.

      • JasonDJ@lemmy.zip
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        2 months ago

        Just store your keys on the yubikey. Problem solved.

        Or use a smart card profile and go that route.

      • dan@upvote.au
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        2 months ago

        We use keys + Yubikey 2FA (the long alphanumeric strings when you touch the Yubikey) at work, alhough they want to move all 2FA to Yubikey FIDO2/WebAuthn in the future since regular numeric/text 2FA codes are vulnerable to phishing. All our internal webapps already require FIDO2, as does our email (Microsoft 365).

    • dan@upvote.au
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      2 months ago

      I’m surprised they’d expire the SSH keys rather than just requiring the password for the key to be rotated. I guess it’s not too bad if the key itself is automatically rotated.

      It would be more secure to have SSH keys that are stored on Yubikeys, though. Get the Yubikeys that check fingerprints (Yubikey Bio) if you’re extra paranoid.

      • jj4211@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        2 months ago

        Problem they had was that ssh doesn’t really have any way to enforce details of how the client key manifests and behaves. They could ship out the authentication devices after the security team trusted the public key, but that was more than they would have been willing to deal with.

        Rotating the passphrase in the key wouldn’t do any good anyway. If an attacker got a hold of your encrypted key to start guessing the passphrase, that instance of the key will never know that another copy has a passphrase change.

  • xthexder@l.sw0.com
    link
    fedilink
    English
    arrow-up
    28
    ·
    2 months ago

    Interesting that unicode support is suggested. Emoji passwords could be fun.

    • dual_sport_dork 🐧🗡️@lemmy.world
      link
      fedilink
      English
      arrow-up
      24
      ·
      2 months ago

      Characters are characters. The system I just wrote will accept anything, because the first thing I do with it is hash it. If you want to make your password:

      ░▒▓█ ʥ۞ݔݯݲݸݴݺ '; drop table users; 🤣💩ʩ █▓▒░

      Then go for it. More power to you for typing that out or, more likely, letting your password manager remember it. Make your password as entropic as you can manage, I don’t care how you arrive there.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        16
        ·
        2 months ago

        Yup. All I care is that your password isn’t the entire works of Shakespeare or something like that. A couple hundred characters/bytes? You do you.

        What really bothers me is when a website says something like: must have a special character, except these ones (proceeds to list everything except @ and !). And then the next one has the same rule, but different exceptions.

        Passwords should be treated as a black box, just read it as bytes and throw it into the hash algorithm. You want to somehow enter a nyan cat? Be my guest, no guarantee the input box will accept it though.

        • Corhen@lemmy.world
          link
          fedilink
          English
          arrow-up
          12
          ·
          2 months ago

          also: “password is too long, max password length is 12 digits”

          Why… like, sure, cap it at 256 or something reasonable. but ive run into as low as 9 digits.

          • dan@upvote.au
            link
            fedilink
            English
            arrow-up
            10
            ·
            edit-2
            2 months ago

            One of the four major banks in Australia used to (or maybe still does?) limit passwords to 6 characters. No more, no less. Exactly 6. They’re case insensitive, too.

            One of the other banks used to silently truncate passwords (to 12 characters if I remember correctly). They removed the truncation one day, and there were so many issues because people who had passwords longer than 12 characters couldn’t log in unless they knew to only enter the first 12 characters of it. It was a mess. Their phone support had a recorded message saying to only enter the first 12 characters if you have trouble logging in.

          • Sneezydinosaur@lemmy.world
            link
            fedilink
            English
            arrow-up
            7
            ·
            2 months ago

            I had a simulator for school truncate after like 13 characters. And nowhere on their page did it specify a character limit. Would still accept an input of like 64 characters though. Got locked out of that account many times.

            • Hazor@lemmy.world
              link
              fedilink
              English
              arrow-up
              7
              ·
              2 months ago

              I’ve run into similar: on the account creation page there was no character limit on the input box nor stated in the password requirements, but on the login page the password input box was limited to 14 characters. So you could successfully create an account with a long password, you just couldn’t log in because it wouldn’t let you enter the whole password.

      • xthexder@l.sw0.com
        link
        fedilink
        English
        arrow-up
        4
        ·
        2 months ago

        Yeah, multiple languages or even putting an ê or something in an English password to mix things up. It makes perfect sense to allow.

        It’s a good thing they require each codepoint to be treated as one character for the length limit, since “🤔🤣” is 8 bytes on its own, but the unicode prefix is trivial to guess.

    • noughtnaut@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 months ago

      Emoji passwords made me think of the Lotus Notes password prompt with their little images that changed as I typed (which never really made sense to me).

      Yes, I’m old…

  • ctkatz
    link
    fedilink
    English
    arrow-up
    25
    ·
    2 months ago

    i had to login for some functions at work. i believe the minimums were 8 characters, 1 caapitol, 1 number. and we all hated it, because the passwords had to be changed every 90 days, and you couldn’t reuse passwords. eventually you are going to run out of things you can reasonably use that you could remember and then would be forced to use some sort of password manager. but OOPSIE you couldn’t install any software on the office computer so you would have to resort to writing them down somewhere. it was a mess.

    fortunately corporate decided to just change the entire system adopting most of these rules, min 15 characters, no special character, no hints, no forced changing passwords unless you think you have been compromised or just want to change it. we do have to use 2fa to access some things if you aren’t sitting at the office computer but other than that people are much happier about passwords now.

      • WhatAmLemmy@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        2 months ago

        I would always just create 1 password and append a number and it’s special char, cycling from 1 to 0; like 1!, 2@, 3#. Never stayed at a place long enough to go higher than 7 or 8.

        I never gave a fuck about doing this because it’s the companies fault for applying stupid policies. Whenever I’ve been allowed a password manager, they got real security instead of malicious compliance.

      • Eril@feddit.org
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        2 months ago

        I feel like it’s not a big impact on security if I use 2fa anyway. (Base password)(month)(year) is fine for me 😅

  • Feelfold@lemm.ee
    link
    fedilink
    English
    arrow-up
    25
    arrow-down
    1
    ·
    2 months ago

    All this 2FA, SSH, token / key stuff is garbage. Rectal vascular mapping is the only legitimate security option.

  • Classy@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    21
    ·
    2 months ago

    The app my work uses to show 401k, pay, request leave, etc details, uses a ridiculous webapp that’s very slow, and on top of this, they nag you literally every 4 months to update your password. I used to be a good boy and memorize a new password each time. Now I just add a new letter into BitWarden and it’s my new password. Apparently this is more secure??

    • chiliedogg@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      2 months ago

      I just add 1 to the number at the end of my password every time they force a change.

      I’m on 18 right now.

    • toddestan@lemm.ee
      link
      fedilink
      English
      arrow-up
      4
      ·
      2 months ago

      My favorite are some of the work systems that I need to access, but only infrequently, yet still have ridiculous password expiration rules. Nearly every time I log in, before I can access the system I have to change my password because of course it’s expired again. So I change the password, write it down because I’ll never remember it months from now when I need to use that password exactly once to login and change my password yet again.

  • cmnybo@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    20
    arrow-down
    1
    ·
    2 months ago

    Any password length (within reason) and any character should be allowed. It’s going to be hashed and only the hash will be stored right? Length and character limits make me suspect it’s being stored in plain text.

    • AliasVortex@lemmy.world
      link
      fedilink
      English
      arrow-up
      22
      ·
      edit-2
      2 months ago

      I don’t know about a min length; setting a lenient lower bound means that any passwords in that space are going to be absolutely brute force-able (and because humans are lazy, there are almost certainly be passwords clustered around the minimum).

      I very much agree with the rest though, it’s unnerving when sites have a low max length. It almost feels like advertising that passwords aren’t being hashed, and if that’s the case there’s a snowball’s chance in hell that they’re also salted. Really restrictive character sets also tell me that said site / company either has super old infra or doesn’t know how to sanitize strings (or entirely likely both)…

      • Echo Dot@feddit.uk
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 months ago

        The only justifiable reason I can see to have a length limit is because longer passwords would take more time to process and they don’t want to deal with that.

        Although it would only be on the order of a couple of extra microseconds and I’m not sure how much difference it would really make. But even on cyber security forums the max password length is 64 characters.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          2 months ago

          But it really doesn’t, unless you’re sending megabytes of text or something. Industry standard password algorithms run the hash a lot of times, and your entry will only impact the first iteration.

          I usually set mine to 256 characters to prevent DOS attacks, and also so I don’t need to update it ever. Most of my passwords are actually around 20-30 characters in length (I pick a random length in the slider on my password manager), because I don’t want to be there all day if I ever need to manually enter it (looking at you stupid smart TV…).

          • subtext@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            2 months ago

            unless you’re sending megabytes of text or something

            That’s exactly what someone malicious would do though, either in a single password submission or DOS via the password maximum repeatedly. IMO there is no functional security difference between a 64 and a 256 character password, so the NIST 64 character max is reasonable.

    • frezik@midwest.social
      link
      fedilink
      English
      arrow-up
      10
      ·
      2 months ago

      Rules here are 64 as a reasonable maximum. A lot of programmers don’t realize that bcrypt and scrypt max at 72 bytes (which may or may not be the same as 72 characters). You can get around it by prehashing, but meh. This is long enough even for a reasonable passphrase scheme.

    • escapesamsara@lemmings.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      2 months ago

      Then you’re vulnerable to simple brute force attacks, which if paired with a dumped hash table, can severely cut the time it takes to solve the hash and reveal all passwords.

        • frezik@midwest.social
          link
          fedilink
          English
          arrow-up
          3
          ·
          2 months ago

          Some kind of upper bound is usually sensible. You can open a potential DoS vector by accepting anything. The 72 byte bcrypt/scrypt limit is generally sensible, but going for 255 would be fine. There’s very little security to be gained at those lengths.

          • sugar_in_your_tea@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            ·
            2 months ago

            I do 256 so I hopefully never need to update it, but most of my passwords are 20-30 characters or something, and generated by my password manager. I don’t care if you choose to write a poem or enter a ton of unicode, I just need a bunch of bytes to hash.

    • dual_sport_dork 🐧🗡️@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      2 months ago

      You should probably have some safeguard to prevent jokers from uploading 14.2 gigabytes of absolute nonsense into your system’s password field just to see if they can make it crash. But I think limiting it to, like, 8 kB ought to be quite lenient for anything with a modern internet connection.

      As others have noticed, various hashing functions have an upperbound input length limit anyway. But I don’t see any pressing reason to limit your field length to exactly that, even if only not to reveal anything about what you might be feeding that value into behind the scenes.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        2 months ago

        I usually do 256 characters. That’s long enough that most password managers top out anyway (mine tops out at 128), and it shouldn’t ever present a DOS risk. Anything much beyond that and you’ll go beyond the hash length.

  • BelatedPeacock@lemmy.world
    link
    fedilink
    English
    arrow-up
    16
    arrow-down
    1
    ·
    2 months ago

    At roughly 35,000 words and filled with jargon and bureaucratic terms, the document is nearly impossible to read all the way through and just as hard to understand fully.

    A section devoted to passwords injects a large helping of badly needed common sense practices that challenge common policies. An example: The new rules bar the requirement that end users periodically change their passwords. This requirement came into being decades ago when password security was poorly understood, and it was common for people to choose common names, dictionary words, and other secrets that were easily guessed.

    Since then, most services require the use of stronger passwords made up of randomly generated characters or phrases. When passwords are chosen properly, the requirement to periodically change them, typically every one to three months, can actually diminish security because the added burden incentivizes weaker passwords that are easier for people to set and remember.

    A.k.a use a password manager for most things and a couple of long complex passwords for things that a password manager wouldn’t work for (the password manager’s password, encrypted system partitions, etc). I’m assuming In just summed up 35,000 words.

  • nyan@lemmy.cafe
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    1
    ·
    2 months ago

    Cracking an 8-char on an ordinary desktop or laptop PC can still take quite a while depending on the details. Unfortunately, the existence of specialized crypto-coin-mining rigs designed to spit out hashes at high speed, plus the ability to farm things out into the cloud, means that the threat we’re facing is no longer the lone hacker cracking things on his own PC.

    • xthexder@l.sw0.com
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      2 months ago

      Newer password hashing algorithms have ways of combatting this. For example, argon2 will use a large amount of memory and CPU and can be tuned for execution time. So theoretically you could configure it to take 0.5 seconds per hash calculation and use 1 GB or more of ram. That’s going to be extremely difficult to bruteforce 8 characters.

      The trade-off is it will take a second or two to login each time, but if you’ve got some secondary pin system in place for frequent reauthentication, it can be a pretty good setup.

      Another disadvantage is the algorithm effectively gets less secure the less powerful your local device is. Calculating that same 0.5s hash on a beefy server vs your phone could make it take way longer or even impossible without enough ram.

      • nyan@lemmy.cafe
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        Unfortunately, it’s rare that we can control what hashing algorithm is being used to secure the passwords we enter. I merely pray that any account that also holds my credit card data or other important information isn’t using MD5. Some companies still don’t take cybersecurity seriously.

        • xthexder@l.sw0.com
          link
          fedilink
          English
          arrow-up
          4
          ·
          2 months ago

          Storing credit card data has its own set of strict security rules that need to be followed. It’s also the credit card company’s problem, not yours, as long as you dispute any fraudulent charges early enough.

          I’m coming at this from the perspective of a developer. A user can always use a longer password (and you should), but it’s technically possible to make an 8 character password secure, thus the NIST recommend minimum.