<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div>Interesting tidbit from talks today: two-factor requirements for gov't agencies were formalized in 2006, as of 2015 35% of the gov't agencies required to adopt them actually had adopted them.</div><div><br data-mce-bogus="1"></div><div>So... I'm thinking... never... is never good for you?</div><div><br></div><div data-marker="__SIG_PRE__">-----<br> "The 'Harmacy'? That's the exact opposite of what we're looking for!"<br> "I think the "P" is just burned out, Theo."<br> "Man, this is worse than that time we had to go to Hell to get gas."<br> "That was a SHELL station!"<br><br> - Theo McGuckin<br> Your Jefferson Lab System Administrator<br></div><br><hr id="zwchr" data-marker="__DIVIDER__"><div data-marker="__HEADERS__"><b>From: </b>"Theo Larrieu" <theo@jlab.org><br><b>To: </b>"ace" <ace@jlab.org><br><b>Sent: </b>Wednesday, September 21, 2016 4:33:22 PM<br><b>Subject: </b>[Ace] NIST’s new password rules<br></div><br><div data-marker="__QUOTED_TEXT__">How long until DOE gets with the program I wonder?<br>
<br>
From the Article (reference at the bottom of the email)<br>
<br>
"That’s right, the United States National Institute for Standards
and Technology (NIST) is formulating new guidelines for password
policies to be used in the whole of the US government (the public
sector)."
<p><strong>No composition rules.</strong> What this means is, no
more rules that force you to use particular characters or
combinations, like those daunting conditions on some password
reset pages that say, “Your password must contain one lowercase
letter, one uppercase letter, one number, four symbols but not <code>&%#@_</code>,
and the surname of at least one astronaut.” </p>
<p>Let people choose freely, and encourage longer phrases instead of
hard-to-remember passwords or illusory complexity such as <code>pA55w+rd</code>.</p>
<p><strong>No password hints.</strong> None. If I wanted people have
a better chance at guessing my password, I’d write it on a note
attached to my screen. </p>
<p>People set password hints like <code><a href="https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/" target="_blank">rhymes
with assword</a></code> when you allow hints. (Really! We have
some <a href="https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/" target="_blank">astonishing
examples</a> from Adobe’s 2013 password breach.)</p>
<p><strong>Knowledge-based authentication (KBA) is out.</strong> KBA
is when a site says, “Pick from a list of questions – Where did
you attend high school? What’s your favourite football team? – and
tell us the answer in case we ever need to check that it’s you.”</p>
<p><strong>No more expiration without reason.</strong> This is my
favourite piece of advice: If we want users to comply and choose
long, hard-to-guess passwords, we shouldn’t make them change those
passwords unnecessarily. </p>
<p>The only time passwords should be reset is when they are
forgotten, if they have been phished, or if you think (or know)
that your password database has been stolen and could therefore be
subjected to an offline brute-force attack.</p>
<br>
<p>Source:<br>
</p>
<p><a class="moz-txt-link-freetext" href="https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/?utm_content=buffer1244e&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer" target="_blank">https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/?utm_content=buffer1244e&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer</a></p>
<p><br>
</p>
<br>
<br>_______________________________________________<br>Ace mailing list<br>Ace@jlab.org<br>https://mailman.jlab.org/mailman/listinfo/ace<br></div></div></body></html>