Tuesday, October 10, 2017

Big changes in password security recommendations

NIST is the National Institute of Standards and Technology, and publish reams of security standards.  They have a new one out (NIST SP800-63-3 for you NISTaholics) that changes what people have been told about password security:
  1. Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.
  2. Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.
  3. Let people use password managers. This is how we deal with all the passwords we need.
This is excellent advice, and is what I've been recommending for years and years.  For years the assumption has been based on how Grandpa managed his 8-character passwords.  For years, the assumption has been that users are idiots - an understandable (if generally wrong) view that came out of the IT we hate our users mindset.  And so we had all the stupid rules about how complicated your password has to be* which confused users and increased the antagonism between IT and the user community.  And then the passwords had to change ever 90 days.

Because of the NIST recommendations.

This is a big first step.  Sadly, it is likely to take years before this new guidance sinks in and everyone lets you pick one really good password that you remember and which you never have to change.  But all journeys start with a single step.


* My favorite password complexity rule is "Password must be a palindrome".  Sneak.


Unknown said...

What I found to be the biggest annoyance were businesses (typically banks and credit card companies in my experience) which inexplicably either did not allow upper-case or did not allow special-characters " # $ % & ' ( ) * + , - . :
; < = > ? @ in passwords.

Knowing that I would need a new secure password I would create one before setting up the account, spending time to come up with one that I would have chance of remembering in case of disaster if my home and office were inaccessible, only to find that it won't work -- and I'd better come up with something acceptable to new rules (that they won't tell me) quickly before the page times out.

Jester said...

Try working in the .gov sphere of things where I currently have no less than two dozen log ins requiring passwords of specific complexity. And they change anywhere from 30 days to 120 days. And you can't use a old password. And often times even when I do have the passwords logged off line they still do not work. Which requires me to get a new password. And sure enough it won't let me use the previous password that the system suddenly recognizes. This is all with the requirement of a CAC card. Which in theory you should only need to get on to any of these websites or the like anyway.

Comrade Misfit said...

My bank requires resetting the password occasionally. My response has been to stop using the online features. If I have a question, I'll contact them or go ask a teller.

LindaG said...

I have no chance of remembering all my passwords. I keep all four pages (or more?) In a text file. If I lose my computer, I will be sunk. I should print them out sometime, I guess. I am retired and do most money related things at home.

Because of all these incidents, I never use actual words for anything money related. My passwords are anywhere from 10 to 18 characters long and use special characters if the website allows. I use a random generator (hence the save file) and I never copy from the generator to the website.

I like your way of thinking, but not sure I could remember an *easy* pass phrase without my file these days.

ProudHillbilly said...

I'm old. I can't remember things. You make me change my password every couple months and I'm going to do exactly what our manditory training told us not to do - write it on a yellow sticky and put it in my desk drawer. As well as have passwords like i*hate*passwords.

Borepatch said...

ProudHillbilly, exactly. This is why this is a good step forward. You can have one long and strong password that doesn't ever need to be changed.

Unfortunately, it will take the world years to catch up, but now at least this is formally considered "Best Practice"

Jester said...

Well this means since largely the .gov just got caught up to the change password every 30 days and have dead languages in it it means it will be a decade till they catch back up again. Particularly since their rank and file IT people are filled with folks that can hardly turn on a computer, and the rest so besodden and handcuffed by outdated everything they may as well piss in to the wind. A year ago I Got the upgraded computer. 8 Gigs. 5. In 2016. Which still is not enough to run most flash programs or the like to do the required online training for us all. *side vent I suppose* Mind you the .gov folks that make the dictations of what my .gov folks require for IT security are the ones that also.. put out regulations for it. Yay!

Dan said...

What Jester said. Both times. Dot-mil is the same. All this time, I thought a Common Access Card (CAC) was to eliminate these issues. Silly me...

Richard said...

Having the best password in the world does you no good when someone hacks into the main server at Anthem or Target or Yahoo or .... I have concluded that the whole thing is just more security theater.

Bill Matthey said...

Passwords. I can never remember the one I need.
I keep a log book of all my passwords. Right now it's at 2.5 pages in length. The book sits in a plastic bin along with a lot of pencils, pens and other useless items. It is not labeled "Passwords" so I feel completely safe.