[Ace] NIST’s new password rules

Theodore McGuckin tsm at jlab.org
Wed Sep 21 17:09:35 EDT 2016 

Interesting tidbit from talks today: two-factor requirements for gov't agencies were formalized in 2006, as of 2015 35% of the gov't agencies required to adopt them actually had adopted them. 

So... I'm thinking... never... is never good for you? 

----- 
"The 'Harmacy'? That's the exact opposite of what we're looking for!" 
"I think the "P" is just burned out, Theo." 
"Man, this is worse than that time we had to go to Hell to get gas." 
"That was a SHELL station!" 

- Theo McGuckin 
Your Jefferson Lab System Administrator 


From: "Theo Larrieu" <theo at jlab.org> 
To: "ace" <ace at jlab.org> 
Sent: Wednesday, September 21, 2016 4:33:22 PM 
Subject: [Ace] NIST’s new password rules 

How long until DOE gets with the program I wonder? 

>From the Article (reference at the bottom of the email) 

"That’s right, the United States National Institute for Standards and Technology (NIST) is formulating new guidelines for password policies to be used in the whole of the US government (the public sector)." 

No composition rules. What this means is, no more rules that force you to use particular characters or combinations, like those daunting conditions on some password reset pages that say, “Your password must contain one lowercase letter, one uppercase letter, one number, four symbols but not &%#@_ , and the surname of at least one astronaut.” 

Let people choose freely, and encourage longer phrases instead of hard-to-remember passwords or illusory complexity such as pA55w+rd . 

No password hints. None. If I wanted people have a better chance at guessing my password, I’d write it on a note attached to my screen. 

People set password hints like rhymes with assword when you allow hints. (Really! We have some astonishing examples from Adobe’s 2013 password breach.) 

Knowledge-based authentication (KBA) is out. KBA is when a site says, “Pick from a list of questions – Where did you attend high school? What’s your favourite football team? – and tell us the answer in case we ever need to check that it’s you.” 

No more expiration without reason. This is my favourite piece of advice: If we want users to comply and choose long, hard-to-guess passwords, we shouldn’t make them change those passwords unnecessarily. 

The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack. 


Source: 


https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/?utm_content=buffer1244e&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer 




_______________________________________________ 
Ace mailing list 
Ace at jlab.org 
https://mailman.jlab.org/mailman/listinfo/ace 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.jlab.org/pipermail/ace/attachments/20160921/13ba4f26/attachment.html>

More information about the Ace mailing list