Here is the text of the NIST sp800-63b Digital Identity Guidelines.
How about making it illegal to block copying and pasting on website forms. I’m literally more likely to make a mistake by typing a routing number than copying and pasting it. The penalty for should be death by firing into the sun to anyone caught implementing any such stupidity.
lvxferre@mander.xyz 1 month ago
Reworded rules for clarity:
I was expecting idiotic rules screaming “bureaucratic muppets don’t know what they’re legislating on”, but instead what I’m seeing is surprisingly sane and sensible.
frezik@midwest.social 1 month ago
NIST generally knows what they’re doing. Want to overwrite a hard drive securely? NIST 800-88 has you covered. Need a competition for a new block cipher? NIST ran that and AES came out of it. Same for a new hash with SHA3.
grue@lemmy.world 1 month ago
For now, at least. Could change after Inauguration Day.
M500@lemmy.ml 1 month ago
Didn’t know about sha3.
catloaf@lemm.ee 1 month ago
I hate that anyone has to be told not to truncate passwords. Like even if you haven’t had any training at all, you’d have to be advanced stupid to even come up with that idea in the first place.
Amanduh@lemm.ee 1 month ago
Can you elaborate further? Why would someone want to truncate passwords to begin with?
MajorHavoc@programming.dev 1 month ago
It needed to be said. Because some password system architects have been just that stupid.
Dhs92@programming.dev 1 month ago
I’ve seen sites truncate when setting, but not on checking. So you set a password on a site with no stated limit, go to use said password, and get locked out. It’s infuriating
dual_sport_dork@lemmy.world 1 month ago
This is a big one. Especially in corporate environments where most of the users are, shall we say, not tech savvy. Forcing people to comply with byzantine incomprehensible password composition rules plus insisting that they change their password to a new inscrutable string that looks like somebody sneezed in punctuation marks accomplishes nothing other than enticing everyone to just write their password down on a Post-It and stick it to their monitor or under their keyboard.
Remember: Users do not care about passwords. From the perspective of anyone who isn’t a programmer or a security expert, passwords are just yet another exasperating roadblock some nerd put in front of the user that is preventing them from doing whatever it is they were actually trying to do.
Starbuncle@lemmy.ca 1 month ago
Everyone I’ve spoken to who has a password change rule just changes one character from their previous password. It does NOTHING.
Tanoh@lemmy.world 1 month ago
Only issue I see is that the 8 chars required is very short and easy to brute force. You would hope that people would go for the recommended instead, but doubt it.
hamsterkill@lemmy.sdf.org 1 month ago
NIST knows what they’re doing. It’s getting organizations to adapt that’s hard. NIST has recommended against expiring passwords for like a decade already, for example, yet pretty much every IT dept still has passwords expiring at least once a year.
perviouslyiner@lemmy.world 1 month ago
re #7, I hope they are also saying no ‘secret questions’ to reset the password?
Buddahriffic@lemmy.world 1 month ago
Yeah, I think 7 and 8 both cover that. I recently signed up for an account where all of the “security questions” provided asked about things that could be either looked up or reasonably guessed based on looked up information.
We live in a tech world designed for the technically illiterate.
lvxferre@mander.xyz 1 month ago
I think so, based on the original: “Verifiers and CSPs [credential service providers] SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.” With “shall not” being used for hard prohibitions.
cybersandwich@lemmy.world 1 month ago
I think if you do allow 8 character passwords the only stipulation is that you check it against known compromised password lists. Again, pretty reasonable.
lvxferre@mander.xyz 1 month ago
That stipulation goes rather close to #5, even not being a composition rule.
I think that a better approach is to follow the recommended min length (15 chars), unless there are good reasons to lower it and you’re reasonably sure that your delay between failed password attempts works flawlessly.
General_Effort@lemmy.world 1 month ago
Hmm. I wonder about this one. Different ways to encode the same character. Different ways to calculate the length. No obvious max byte size.
dual_sport_dork@lemmy.world 1 month ago
Who cares? It’s going to be hashed anyway. If the same user can generate the same input, it will result in the same hash. If another user can’t generate the same input, well, that’s really rather the point. And I can’t think of a single backend, language, or framework that doesn’t treat a single Unicode character as one character. Byte length of the character is irrelevant as long as you’re not doing something ridiculous like intentionally parsing your input in binary and blithely assuming that every character must be 8 bits in length.
tastysnacks@programming.dev 1 month ago
What kind of barbarian puts a space in their password?
naticus@lemmy.world 1 month ago
Very common for pass phrases, and not dissuaded. Pass phrases are good for people to remember without using poor storage practices (post it notes, txt file, etc) and are strong enough to keep secure against brute force attacks or just guessing based off knowledge of the user.
lol_idk@lemmy.ml 1 month ago
I’m waiting for backspace to be a valid character
rebelsimile@sh.itjust.works 1 month ago
gosh who would want an uncommon character that obviously most average people aren’t thinking about in their passwords, that sounds like it might even be somewhat secure.
randombullet@programming.dev 1 month ago
My passphrase includes several spaces. It’s another character to assist in entropy.
portifornia@lemmy.world 1 month ago
I’m with you, despite seeing lemmings downvote the heck out of your comment 😢
The reason, and specifically for whitespace at the beginning or end of a password, is that a lot of users copy-paste their passwords into the form, and for various reasons, whitespace can get pasted in, causing an invalid match. No bueno.
Source: I’m a web developer who has seen this enough times that we had to implement a whitespace-trim validation for both setting & entering passwords.
turtle@lemm.ee 1 month ago
It’s crazy that they didn’t include all the “should” items in that list. If you read the entire section, there’s a critical element that’s missing in the list, which is that new passwords should be checked against blocklists. Otherwise, if you combine 1, 5, and 6, you end up with people using “password” as their password, and keeping that forever. Really, really poor organization on their part. I’m already fighting this at work.
NotMyOldRedditName@lemmy.world 1 month ago
I think it’s pretty idiotic to
They might mean well, but the reason we require a special character and number is to ensure the amount of possible characters are increased.
If a website doesn’t enforce it, people are just going to do a password like password
password is a totally valid password under this rule. Any 8 letter word is valid. hopsital for example.
These passwords can be cracked in seconds, and have their hashes checked for in leaks in no time.
lvxferre@mander.xyz 1 month ago
The problem with this sort of requirement is that most people will solve it the laziest way. In this case, “ah, I can’t use «hospital»? Mkay, «Hospital1» it is! Yay it’s accepted!”. And then there’s zero additional entropy - because the first char still has 26 states, and the additional char has one state.
Someone could of course “solve” this by inserting even further rules, like “you must have at least one number and one capital letter inside the password”, but then you get users annotating the password in a .txt file because it’s too hard to remember where they capitalised it or did their 1337.
Instead just skip all those silly rules. If offline attacks are such a concern, increase the min pass length. Using both lengths provided by the guidelines: