this post was submitted on 26 Sep 2024
546 points (99.3% liked)

Technology

58970 readers
5357 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Here is the text of the NIST sp800-63b Digital Identity Guidelines.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 335 points 1 month ago (29 children)

Reworded rules for clarity:

  1. Min required length must be 8 chars (obligatory), but it should be 15 chars (recommended).
  2. Max length should allow at least 64 chars.
  3. You should accept all ASCII plus space.
  4. You should accept Unicode; if doing so, you must count each code as one char.
  5. Don't demand composition rules (e.g. "u're password requires a comma! lol lmao haha" tier idiocy)
  6. Don't bug users to change passwords periodically. Only do it if there's evidence of compromise.
  7. Don't store password hints that others can guess.
  8. Don't prompt the user to use knowledge-based authentication.
  9. Don't truncate passwords for verification.

I was expecting idiotic rules screaming "bureaucratic muppets don't know what they're legislating on", but instead what I'm seeing is surprisingly sane and sensible.

[–] [email protected] 117 points 1 month ago (2 children)

NIST generally knows what they're doing. Want to overwrite a hard drive securely? NIST 800-88 has you covered. Need a competition for a new block cipher? NIST ran that and AES came out of it. Same for a new hash with SHA3.

[–] [email protected] 26 points 1 month ago

NIST generally knows what they're doing

For now, at least. Could change after Inauguration Day.

[–] [email protected] 7 points 1 month ago

Didn’t know about sha3.

[–] [email protected] 59 points 1 month ago (2 children)

I hate that anyone has to be told not to truncate passwords. Like even if you haven't had any training at all, you'd have to be advanced stupid to even come up with that idea in the first place.

[–] [email protected] 24 points 1 month ago (2 children)

Microsoft used to do that. I made a password in the late 90's for a we service and I found out that it truncated my password when they made it after it warned my my password was too long when I tried to log in. It truncated at 16 characters.

[–] [email protected] 7 points 1 month ago (2 children)

The weirdest one I found was a site that would only check to see if what you entered started with the correct password. So if your password was hunter2 and you tried hunter246, it would let you in.

Which means not only were they storing the password, but they had to go out of their way to use the wrong kind of string comparison.

load more comments (2 replies)
load more comments (1 replies)
[–] [email protected] 8 points 1 month ago (1 children)

Can you elaborate further? Why would someone want to truncate passwords to begin with?

[–] [email protected] 23 points 1 month ago (2 children)

To save a few megabytes of text in a database somewhere. Likely the same database that gets hacked.

[–] [email protected] 28 points 1 month ago (1 children)

Which shouldn't even matter because passwords are salted and hashed before storing them, so you're not actually saving anything. At least they better be. If you're not hashing passwords you've got a much bigger problem than low complexity passwords.

[–] [email protected] 33 points 1 month ago (1 children)

The place that truncates passwords is probably not the place to look for best practices when it comes to security. :-)

[–] [email protected] 5 points 1 month ago (12 children)

Hashing passwords isn't even best practice at this point, it's the minimally acceptable standard.

load more comments (12 replies)
load more comments (1 replies)
[–] [email protected] 52 points 1 month ago* (last edited 1 month ago) (1 children)
  1. Don't truncate passwords for verification.

It needed to be said. Because some password system architects have been just that stupid.

Edit: Fear of other's stupidity is the mind killer. I will face my fear. My fear will wash over me, and when it has passed, only I will remain. Or I'll be dead in a car accident caused by an AI driver.

[–] [email protected] 53 points 1 month ago (3 children)

I've seen sites truncate when setting, but not on checking. So you set a password on a site with no stated limit, go to use said password, and get locked out. It's infuriating

[–] [email protected] 23 points 1 month ago* (last edited 1 month ago)

Years back, I had that happen on PayPal of all websites. Their account creation and reset pages silently and automatically truncated my password to 16 chars or something before hashing, but the actual login page didn't, so the password didn't work at all unless I backspaced it to the character limit. I forgot how I even found that out but it was a very frustrating few hours.

[–] [email protected] 10 points 1 month ago (1 children)
[–] [email protected] 5 points 1 month ago

Banks usually have the absolute worst password policies. It's typically because their backend is some crusty mainframe from the 80s that limits inputs to something absurdly insecure by today's standards and they've kicked the upgrade can down the road for so long now that it's a staggeringly monumental task to rewrite it all. Thankfully most of them have upgraded at this point, but every now and then you still find one that's got ridiculous limits like a maximum password length of 8 and only alphanumeric characters (with no 2FA obviously).

[–] [email protected] 7 points 1 month ago

Another ridiculous policy I've seen (many years ago) is logging in too fast. I used to get locked out of my banks website all the time and I used autotype with KeePass so I was baffled when it wouldn't get accepted. Eventually I had a thought to slow down the typing mechanism and suddenly I didn't get locked out anymore.

[–] [email protected] 36 points 1 month ago* (last edited 1 month ago) (1 children)

Don’t bug users to change passwords periodically. Only do it if there’s evidence of compromise.

This is a big one. Especially in corporate environments where most of the users are, shall we say, not tech savvy. Forcing people to comply with byzantine incomprehensible password composition rules plus incessantly insisting that they change their password every 7/14/30 days to a new inscrutable string that looks like somebody sneezed in punctuation marks accomplishes nothing other than enticing everyone to just write their password down on a Post-It and stick it to their monitor or under their keyboard.

Remember: Users do not care about passwords. From the perspective of anyone who isn't a programmer or a security expert, passwords are just yet another exasperating roadblock some nerd keeps putting in front of them that is preventing them from doing whatever it is they were actually trying to do.

[–] [email protected] 32 points 1 month ago (2 children)

Everyone I've spoken to who has a password change rule just changes one character from their previous password. It does NOTHING.

[–] [email protected] 21 points 1 month ago (2 children)

That works great until some dickhole implements the old, "New password cannot contain any sequence from your previous (5) passwords."

This also of course necessitates storing (multiple successive!) passwords in plain text or with a reversible cipher, which is another stupid move. You'd think we'd have gotten all of this out of our collective system as a society by now, and yet I still see it all the time.

All of these schemes are just security theater, and actively make the system in question less secure while accomplishing nothing other than berating and frustrating its users.

[–] [email protected] 8 points 1 month ago

HA, I hope you're joking. Surely nobody's actually done that, right? ....Riiiight?

[–] [email protected] 8 points 1 month ago* (last edited 1 month ago)

This also leads to stupid rules like you can’t change your password more than once a day, to prevent someone from changing their password 5 times and then changing it back to what it was before.

[–] [email protected] 13 points 1 month ago* (last edited 1 month ago)

"I just increment the number at the end" is a phrase I've heard so many times

[–] [email protected] 19 points 1 month ago

NIST are bureaucrats sure, but bureaucrats with lots and lots of practical experience.

[–] [email protected] 13 points 1 month ago

Only issue I see is that the 8 chars required is very short and easy to brute force. You would hope that people would go for the recommended instead, but doubt it.

[–] [email protected] 11 points 1 month ago

I was expecting idiotic rules screaming "bureaucratic muppets don't know what they're legislating on", but instead what I'm seeing is surprisingly sane and sensible

NIST knows what they're doing. It's getting organizations to adapt that's hard. NIST has recommended against expiring passwords for like a decade already, for example, yet pretty much every IT dept still has passwords expiring at least once a year.

[–] [email protected] 11 points 1 month ago (2 children)

re #7, I hope they are also saying no 'secret questions' to reset the password?

[–] [email protected] 13 points 1 month ago (2 children)

Yeah, I think 7 and 8 both cover that. I recently signed up for an account where all of the "security questions" provided asked about things that could be either looked up or reasonably guessed based on looked up information.

We live in a tech world designed for the technically illiterate.

[–] [email protected] 10 points 1 month ago* (last edited 1 month ago) (2 children)

I usually invent answers to those and store those answers in a password manager. Essentially turns them into backup passwords that can be spoken over the phone if necessary.

Where was I born? "Stallheim, EUSA, Mars"

Name of first pet? "Groovy Tuesday"

It's fun, usually.

[–] [email protected] 5 points 1 month ago

I tried that without a password manager for a little while. But then my answers were too abstract to remember, so now I also use a password manager for that.

[–] [email protected] 4 points 1 month ago (1 children)

What is the first name of your first best friend?

eoY&Z9m4LNRDY!Gzdd%q98LYiBi8Nq

Oh old eoY&Z9m4LNRDY!Gzdd%q98LYiBi8Nq and I go way back! I met eoY&Z9m4LNRDY!Gzdd%q98LYiBi8Nq in Pre-K and we’ve been inseparable ever since.

It is quite annoying if they’re a service that makes you read aloud your security questions to phone reps to prove your identity. One of my retirement accounts requires that and I have to sigh and read out the full string. I’ve changed it since to an all lowercase, 20 digit string as a compromise.

[–] [email protected] 5 points 1 month ago* (last edited 1 month ago)

20 character all lowercase is very secure as long as its random words / letters that would make it unguessable by knowing you.

Edit: you could also prefix it if you think you'd have to read it

"This question is stupid fuck nuts house gravel neptune cow."

[–] [email protected] 5 points 1 month ago (1 children)

Sarah Palin had her Yahoo mail account hacked because of those "security" questions. In 2008. We should be well past the time where they are a thing.

load more comments (1 replies)
load more comments (1 replies)
[–] [email protected] 10 points 1 month ago (1 children)

I think if you do allow 8 character passwords the only stipulation is that you check it against known compromised password lists. Again, pretty reasonable.

[–] [email protected] 6 points 1 month ago* (last edited 1 month ago)

~~That stipulation goes rather close to #5, even not being a composition rule.~~ EDIT: see below.

I think that a better approach is to follow the recommended min length (15 chars), unless there are good reasons to lower it and you're reasonably sure that your delay between failed password attempts works flawlessly.

EDIT: as I was re-reading the original, I found the relevant excerpt:

If the CSP [credential service provider] disallows a chosen password because it is on a blocklist of commonly used, expected, or compromised values (see Sec. 3.1.1.2), the subscriber SHALL be required to choose a different password. Other complexity requirements for passwords SHALL NOT be imposed. A rationale for this is presented in Appendix A, Strength of Passwords.

So they are requiring CSPs to do what you said, and check it against a list of compromised passwords. However they aren't associating it with password length; on that, the Appendix 2 basically says that min length depends on the threat model being addressed; as in, if it's just some muppet trying passwords online versus trying it offline.

[–] [email protected] 6 points 1 month ago (1 children)

You should accept Unicode; if doing so, you must count each code as one char.

Hmm. I wonder about this one. Different ways to encode the same character. Different ways to calculate the length. No obvious max byte size.

[–] [email protected] 10 points 1 month ago (2 children)

Who cares? It's going to be hashed anyway. If the same user can generate the same input, it will result in the same hash. If another user can't generate the same input, well, that's really rather the point. And I can't think of a single backend, language, or framework that doesn't treat a single Unicode character as one character. Byte length of the character is irrelevant as long as you're not doing something ridiculous like intentionally parsing your input in binary and blithely assuming that every character must be 8 bits in length.

[–] [email protected] 5 points 1 month ago

It matters for bcrypt/scrypt. They have a 72 byte limit. Not characters, bytes.

That said, I also think it doesn't matter much. Reasonable length passphrases that could be covered by the old Latin-1 charset can easily fit in that. If you're talking about KJC languages, then each character is actually a whole word, and you're packing a lot of entropy into one character. 72 bytes is already beyond what's needed for security; it's diminishing returns at that point.

load more comments (1 replies)
[–] [email protected] 3 points 1 month ago

It's crazy that they didn't include all the "should" items in that list. If you read the entire section, there's a critical element that's missing in the list, which is that new passwords should be checked against blocklists. Otherwise, if you combine 1, 5, and 6, you end up with people using "password" as their password, and keeping that forever. Really, really poor organization on their part. I'm already fighting this at work.

load more comments (18 replies)