Post AVcL16uRCmliBVYfUO by tek@freeradical.zone
(DIR) More posts by tek@freeradical.zone
(DIR) Post #AVcKzxBHtBSviut6ky by tek@freeradical.zone
2023-05-13T16:12:08Z
0 likes, 0 repeats
While I'm in there anyway, here are some nuggets from NIST SP 800-63B, section 5, "Authenticator and Verifier Requirements", aka password requirements:
(DIR) Post #AVcL16uRCmliBVYfUO by tek@freeradical.zone
2023-05-13T16:12:21Z
0 likes, 0 repeats
5.1.1.1 Memorized Secret Authenticators. "Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and MAY be entirely numeric. [...] No other complexity requirements for memorized secrets SHOULD be imposed."
(DIR) Post #AVcLCxKMejdZwTKjo0 by tek@freeradical.zone
2023-05-13T16:14:30Z
0 likes, 0 repeats
5.1.1.2 Memorized Secret Verifiers[Password hints suck. Denying bad passwords like ‘aaaaaa’ is fine. Rate limit logins.]"Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.”
(DIR) Post #AVcLaQeBoP1zXIncDA by tek@freeradical.zone
2023-05-13T16:18:44Z
0 likes, 0 repeats
Also, and this is key:"Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”
(DIR) Post #AVcLodsrOZF0dvRGtM by tek@freeradical.zone
2023-05-13T16:21:18Z
0 likes, 1 repeats
If you come anywhere near authentication services for a living, you must read NIST 800-63B (https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63b.pdf). It’s very clear, readable, and useful. And if you require wildly complex passwords, or disable pasting them into web forms, or make users rotate them, you’re violating government standards and best practices. Stop that!
(DIR) Post #AVcME7346CcOKpMDWC by blit32@noc.social
2023-05-13T16:25:54Z
0 likes, 1 repeats
@tek Not only are you violating standards, with the new national cybersecurity strategy you might be liable of violating those standards causes harm to your users.
(DIR) Post #AVcMLK9Zm0QT0SqEE4 by wilbr@glitch.social
2023-05-13T16:27:11Z
0 likes, 0 repeats
@tek IIRC this may conflict with PCI that wants old credentials rotated, idk I'll have to check
(DIR) Post #AVcNFjP555gVXDzUOm by gizmo@gremlins.social
2023-05-13T16:35:52.743Z
0 likes, 0 repeats
@tek@freeradical.zone thank you! I knew there was a standard somewhere that said you needed to allow password managers. Now I know what to throw at my boss if/when they start muttering about pasting passwords!
(DIR) Post #AVcNFkJ5iqUIKwCDhY by tek@freeradical.zone
2023-05-13T16:37:23Z
0 likes, 0 repeats
@gizmo Right on! Knowledge is power. 🙂
(DIR) Post #AVcNznvQbMXosb5eKW by pseudonym@calckey.social
2023-05-13T16:38:26.218Z
0 likes, 0 repeats
@blit32@noc.social @tek@freeradical.zone Complete agree. But some places are stuck between conflicting standards.PCI-DSS (payment card regs for handling credit cards) still requires periodic (90 days, I think) password rotation. :-( You can't win.I'm on team NIST standards.#infosec
(DIR) Post #AVcNzoeRtyYb8E9bVI by tek@freeradical.zone
2023-05-13T16:45:43Z
0 likes, 0 repeats
@pseudonym @blit32 Conflicting standards? That never happens!
(DIR) Post #AVcQFVyRJPlJkJ7Mbw by mkj@social.linux.pizza
2023-05-13T17:10:59Z
0 likes, 0 repeats
@tek @pseudonym @blit32 If there are conflicting standards, then we must be in need of a unifying standard!Thereby invoking https://xkcd.com/927/
(DIR) Post #AVcR426u6TVptXALdQ by objectinspace@freeradical.zone
2023-05-13T17:20:08Z
0 likes, 0 repeats
@tek Did some QA for Google back in the day.The vendor I worked for had a 90-day password recycling policy (and of course, you could not use an old one.) If you wanted it recovered, you had to call a phone line that would email a PDF of a screencap of your temporary password. (Which I couldn't see, naturally)...My work email from google had none of these restrictions.There is a lesson here, but no one was inclined to learn it.
(DIR) Post #AVcRAuDhq04jRzcnNg by objectinspace@freeradical.zone
2023-05-13T17:21:21Z
0 likes, 0 repeats
@tek Did some QA for Google back in the day.The vendor I worked for had a 90-day password recycling policy (and of course, you could not use an old one.) If you wanted it recovered, you had to call a phone line that would email a PDF of a screencap of your temporary password. (Which I couldn't see, naturally)...My work email from google (the one I actually used) had none of these restrictions.There is a lesson here, but no one was inclined to learn it.
(DIR) Post #AVcTd2ujJ6osQmIKvo by mkj@social.linux.pizza
2023-05-13T17:13:36Z
0 likes, 0 repeats
@pseudonym @tek @blit32 So how about you segregate that? Surely it will improve security if you force people to go through a password reset process every odd few weeks when they need access to that kind of data and have forgotten their password, compared to if you let people set a strong password and just be done with it.Also lots of companies force their employees to change their passwords with alarming frequency even when those employees, or even the company, never handle/s credit card info.
(DIR) Post #AVcTd3rDndbjMBf36O by blit32@noc.social
2023-05-13T17:18:49Z
0 likes, 0 repeats
@mkj @pseudonym @tek I would question the assumption that forcing users to change their passwords improves security. I’ve used the “password1”, “password2” pattern when forced to change passwords frequently and I expect everyone else on the planet has too, does that offer improved security?
(DIR) Post #AVcTd5RltEREHplki8 by tek@freeradical.zone
2023-05-13T17:48:50Z
0 likes, 0 repeats
@blit32 @mkj @pseudonym That’s exactly why NIST says not to do it. People forced into that goofy system tend to pick crappy, easy to remember passwords.
(DIR) Post #AVclgltMKqefyGa0ci by Kiki@chaos.social
2023-05-13T21:11:12Z
0 likes, 0 repeats
@tek I see Mary Theofanos on the cover, I fav and boost. It's that simple.
(DIR) Post #AVdATkKTKdBKDK9CjI by LilFluff@ping.the-planet.space
2023-05-13T21:47:11.744Z
0 likes, 0 repeats
@tek@freeradical.zone I recently brought this up at work, "You do realize here at Mumble College we're in violation of NIST security standards for forcing password changes on a regular schedule, right?" I'm also a bit amused that one of the authors of the current standard was the guy who originally proposed requiring scheduled changes and complexity requirements (shades of the guy who wrote the book alpha wolf/wolf pack behavior tropes come from)
(DIR) Post #AVdATlMzSkn3RQKjIG by tek@freeradical.zone
2023-05-14T01:48:55Z
0 likes, 0 repeats
@LilFluff I get why it seemed like a good idea at the time, but we’ve acquired more data since then.
(DIR) Post #AVdFotL3WtoG0ZK4Ya by greyduck@wellduck.me
2023-05-14T02:48:47Z
0 likes, 0 repeats
@tek That's fascinating stuff, I'll need to go over that when I'm back on the clock next week. Thanks!(Wish Windows would allow password pasting. Ugh.)
(DIR) Post #AVi0RMJTclhrOnhjv6 by brianpierce@med-mastodon.com
2023-05-16T09:50:02Z
0 likes, 0 repeats
@tek This was one of the most frustrating things about hospital IT! NIST stopped recommending rotating passwords years ago.It does more harm than good.