[Ace] NIST’s new password rules

Theo Larrieu theo at jlab.org
Wed Sep 21 16:33:22 EDT 2016 

How long until DOE gets with the program I wonder?

 From the Article (reference at the bottom of the email)

"That’s right, the United States National Institute for Standards and Technology (NIST) 
is formulating new guidelines for password policies to be used in the whole of the US 
government (the public sector)."

*No composition rules.* What this means is, no more rules that force you to use 
particular characters or combinations, like those daunting conditions on some password 
reset pages that say, “Your password must contain one lowercase letter, one uppercase 
letter, one number, four symbols but not |&%#@_|, and the surname of at least one 
astronaut.”

Let people choose freely, and encourage longer phrases instead of hard-to-remember 
passwords or illusory complexity such as |pA55w+rd|.

*No password hints.* None. If I wanted people have a better chance at guessing my 
password, I’d write it on a note attached to my screen.

People set password hints like |rhymes with assword 
<https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/>| 
when you allow hints. (Really! We have some astonishing examples 
<https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/> 
from Adobe’s 2013 password breach.)

*Knowledge-based authentication (KBA) is out.* KBA is when a site says, “Pick from a 
list of questions – Where did you attend high school? What’s your favourite football 
team? – and tell us the answer in case we ever need to check that it’s you.”

*No more expiration without reason.* This is my favourite piece of advice: If we want 
users to comply and choose long, hard-to-guess passwords, we shouldn’t make them change 
those passwords unnecessarily.

The only time passwords should be reset is when they are forgotten, if they have been 
phished, or if you think (or know) that your password database has been stolen and could 
therefore be subjected to an offline brute-force attack.


Source:

https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/?utm_content=buffer1244e&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.jlab.org/pipermail/ace/attachments/20160921/4b37601e/attachment.html>

More information about the Ace mailing list