549

Here is the text of the NIST sp800-63b Digital Identity Guidelines.

top 50 comments
sorted by: hot top controversial new old
[-] lvxferre@mander.xyz 336 points 3 months ago

Reworded rules for clarity:

  1. Min required length must be 8 chars (obligatory), but it should be 15 chars (recommended).
  2. Max length should allow at least 64 chars.
  3. You should accept all ASCII plus space.
  4. You should accept Unicode; if doing so, you must count each code as one char.
  5. Don't demand composition rules (e.g. "u're password requires a comma! lol lmao haha" tier idiocy)
  6. Don't bug users to change passwords periodically. Only do it if there's evidence of compromise.
  7. Don't store password hints that others can guess.
  8. Don't prompt the user to use knowledge-based authentication.
  9. Don't truncate passwords for verification.

I was expecting idiotic rules screaming "bureaucratic muppets don't know what they're legislating on", but instead what I'm seeing is surprisingly sane and sensible.

[-] frezik@midwest.social 117 points 3 months ago

NIST generally knows what they're doing. Want to overwrite a hard drive securely? NIST 800-88 has you covered. Need a competition for a new block cipher? NIST ran that and AES came out of it. Same for a new hash with SHA3.

[-] grue@lemmy.world 26 points 3 months ago

NIST generally knows what they're doing

For now, at least. Could change after Inauguration Day.

load more comments (1 replies)
[-] catloaf@lemm.ee 59 points 3 months ago

I hate that anyone has to be told not to truncate passwords. Like even if you haven't had any training at all, you'd have to be advanced stupid to even come up with that idea in the first place.

[-] einlander@lemmy.world 24 points 3 months ago

Microsoft used to do that. I made a password in the late 90's for a we service and I found out that it truncated my password when they made it after it warned my my password was too long when I tried to log in. It truncated at 16 characters.

load more comments (4 replies)
load more comments (18 replies)
[-] MajorHavoc@programming.dev 52 points 3 months ago* (last edited 3 months ago)
  1. Don't truncate passwords for verification.

It needed to be said. Because some password system architects have been just that stupid.

Edit: Fear of other's stupidity is the mind killer. I will face my fear. My fear will wash over me, and when it has passed, only I will remain. Or I'll be dead in a car accident caused by an AI driver.

[-] Dhs92@programming.dev 53 points 3 months ago

I've seen sites truncate when setting, but not on checking. So you set a password on a site with no stated limit, go to use said password, and get locked out. It's infuriating

[-] Ashelyn@lemmy.blahaj.zone 23 points 3 months ago* (last edited 3 months ago)

Years back, I had that happen on PayPal of all websites. Their account creation and reset pages silently and automatically truncated my password to 16 chars or something before hashing, but the actual login page didn't, so the password didn't work at all unless I backspaced it to the character limit. I forgot how I even found that out but it was a very frustrating few hours.

load more comments (3 replies)
[-] dual_sport_dork@lemmy.world 36 points 3 months ago* (last edited 3 months ago)

Don’t bug users to change passwords periodically. Only do it if there’s evidence of compromise.

This is a big one. Especially in corporate environments where most of the users are, shall we say, not tech savvy. Forcing people to comply with byzantine incomprehensible password composition rules plus incessantly insisting that they change their password every 7/14/30 days to a new inscrutable string that looks like somebody sneezed in punctuation marks accomplishes nothing other than enticing everyone to just write their password down on a Post-It and stick it to their monitor or under their keyboard.

Remember: Users do not care about passwords. From the perspective of anyone who isn't a programmer or a security expert, passwords are just yet another exasperating roadblock some nerd keeps putting in front of them that is preventing them from doing whatever it is they were actually trying to do.

[-] Starbuncle@lemmy.ca 32 points 3 months ago

Everyone I've spoken to who has a password change rule just changes one character from their previous password. It does NOTHING.

[-] dual_sport_dork@lemmy.world 21 points 3 months ago

That works great until some dickhole implements the old, "New password cannot contain any sequence from your previous (5) passwords."

This also of course necessitates storing (multiple successive!) passwords in plain text or with a reversible cipher, which is another stupid move. You'd think we'd have gotten all of this out of our collective system as a society by now, and yet I still see it all the time.

All of these schemes are just security theater, and actively make the system in question less secure while accomplishing nothing other than berating and frustrating its users.

load more comments (2 replies)
[-] Flying_Hellfish@lemmy.world 13 points 3 months ago* (last edited 3 months ago)

"I just increment the number at the end" is a phrase I've heard so many times

[-] magic_smoke@links.hackliberty.org 19 points 3 months ago

NIST are bureaucrats sure, but bureaucrats with lots and lots of practical experience.

[-] Tanoh@lemmy.world 13 points 3 months ago

Only issue I see is that the 8 chars required is very short and easy to brute force. You would hope that people would go for the recommended instead, but doubt it.

load more comments (35 replies)
[-] VantaBrandon@lemmy.world 90 points 3 months ago

How about making it illegal to block copying and pasting on website forms. I'm literally more likely to make a mistake by typing a routing number than copying and pasting it. The penalty for should be death by firing into the sun to anyone caught implementing any such stupidity.

[-] johannesvanderwhales@lemmy.world 73 points 3 months ago

Frankly I'm mostly annoyed that my browser allows web sites to block cut and paste, ever. I am capable of making my own decisions over whether I want to cut and paste.

There are plugins that will disallow this. I think the one I use is "don't fuck with paste"

[-] dual_sport_dork@lemmy.world 15 points 3 months ago

Ooh, ooh. And for implementing any Javascript or jQuery or whatever that pops up some kind of smarmy message when you right click: Believe it or not, straight to jail.

Plus, that kind of thing is not going to prevent anyone from scraping images from anywhere if they have the capability to lift a finger to press F12.

load more comments (3 replies)
[-] D_Air1@lemmy.ml 13 points 3 months ago

Browsers shouldn't allow half of the stuff that they allow. You have to do the same thing not just with copy and paste, but also searching on the page with ctrl + f. Like I don't care that websites won't to create their own experience. Don't mess with browser behavior.

load more comments (2 replies)
load more comments (3 replies)
[-] dsilverz@thelemmy.club 16 points 3 months ago

I circumvent that by right-clicking, then choosing "Inspect element", then switching to the tab "Console", then typing $0.value = "TheValueIWantToPaste". If right-clicking is also disabled, I use either F12 or Tools menu > DevTools.

load more comments (4 replies)
[-] DelightfullyDivisive@lemmy.world 15 points 3 months ago

It takes way less Delta V to push them into solar escape velocity.

[-] atocci@lemmy.world 12 points 3 months ago

Anger is no excuse to be inefficient with propellant after all

load more comments (1 replies)
load more comments (2 replies)
[-] umami_wasbi@lemmy.ml 85 points 3 months ago* (last edited 3 months ago)

the document is nearly impossible to read all the way through and just as hard to understand fully

It is a boring document but it not impossible to read through, nor understand. The is what compliances officer do. I have a (useless) cybersecurity degree and reading NIST publications is part of my lecture.

[-] Toribor@corndog.social 28 points 3 months ago

My career as a sysadmin consistently has me veering toward security and compliance and my brain is absolutely fried on trying to figure out what these huge docs actually mean, how they apply to the things I'm responsible for and what we're supposed to do about it.

Props to all the folks that can do it without losing their mind.

load more comments (3 replies)
load more comments (4 replies)
[-] Madblood@lemmy.world 41 points 3 months ago

Don’t bug users to change passwords periodically. Only do it if there’s evidence of compromise.

About damn time. I log into my company laptop with a smart card and PIN or a PIN/authenticator code, computer autoconnects to the VPN, and I'm good to go. If there's no internet available, the smart card will still get me into my computer. If I'm on my personal computer, I log in with the PIN/authenticator. This morning I tried really hard to find someplace where I had the option of entering a password and there is none, yet I have to change my password every 6 months. At least my IT department lets me use KeePass.

load more comments (2 replies)
[-] Semi_Hemi_Demigod@lemmy.world 40 points 3 months ago

One thing they should change is the word "password." This implies that it's a short string. Changing it to "passphrase" will help people feel comfortable choosing credentials like "correct horse battery staple."

load more comments (2 replies)
[-] jj4211@lemmy.world 33 points 3 months ago

Meanwhile, my company has systems insisting on expiring ssh keys after 90 days...

load more comments (9 replies)
[-] xthexder@l.sw0.com 28 points 3 months ago

Interesting that unicode support is suggested. Emoji passwords could be fun.

[-] dual_sport_dork@lemmy.world 25 points 3 months ago

Characters are characters. The system I just wrote will accept anything, because the first thing I do with it is hash it. If you want to make your password:

░▒▓█ ʥ۞ݔݯݲݸݴݺ '; drop table users; 🤣💩ʩ █▓▒░

Then go for it. More power to you for typing that out or, more likely, letting your password manager remember it. Make your password as entropic as you can manage, I don't care how you arrive there.

[-] sugar_in_your_tea@sh.itjust.works 16 points 3 months ago

Yup. All I care is that your password isn't the entire works of Shakespeare or something like that. A couple hundred characters/bytes? You do you.

What really bothers me is when a website says something like: must have a special character, except these ones (proceeds to list everything except @ and !). And then the next one has the same rule, but different exceptions.

Passwords should be treated as a black box, just read it as bytes and throw it into the hash algorithm. You want to somehow enter a nyan cat? Be my guest, no guarantee the input box will accept it though.

[-] Smokeless7048@lemmy.world 12 points 3 months ago

also: "password is too long, max password length is 12 digits"

Why... like, sure, cap it at 256 or something reasonable. but ive run into as low as 9 digits.

load more comments (3 replies)
load more comments (1 replies)
load more comments (4 replies)
[-] ctkatz@lemmy.ml 27 points 3 months ago

i had to login for some functions at work. i believe the minimums were 8 characters, 1 caapitol, 1 number. and we all hated it, because the passwords had to be changed every 90 days, and you couldn't reuse passwords. eventually you are going to run out of things you can reasonably use that you could remember and then would be forced to use some sort of password manager. but OOPSIE you couldn't install any software on the office computer so you would have to resort to writing them down somewhere. it was a mess.

fortunately corporate decided to just change the entire system adopting most of these rules, min 15 characters, no special character, no hints, no forced changing passwords unless you think you have been compromised or just want to change it. we do have to use 2fa to access some things if you aren't sitting at the office computer but other than that people are much happier about passwords now.

[-] driving_crooner@lemmy.eco.br 27 points 3 months ago* (last edited 3 months ago)

Half the users passwords is going to be {Company}@{YEAR}

[-] evranch@lemmy.ca 21 points 3 months ago

Don't forget classics like Fuck_this_shit1! Fuck_this_shit2!

load more comments (1 replies)
[-] lol_idk@lemmy.ml 18 points 3 months ago* (last edited 1 month ago)
load more comments (2 replies)
load more comments (2 replies)
[-] MonkderVierte@lemmy.ml 27 points 3 months ago

You heard it: stop imposing composition rules!

[-] Feelfold@lemm.ee 24 points 3 months ago

All this 2FA, SSH, token / key stuff is garbage. Rectal vascular mapping is the only legitimate security option.

load more comments (4 replies)
[-] Classy@sh.itjust.works 21 points 3 months ago

The app my work uses to show 401k, pay, request leave, etc details, uses a ridiculous webapp that's very slow, and on top of this, they nag you literally every 4 months to update your password. I used to be a good boy and memorize a new password each time. Now I just add a new letter into BitWarden and it's my new password. Apparently this is more secure??

load more comments (2 replies)
[-] cmnybo@discuss.tchncs.de 20 points 3 months ago

Any password length (within reason) and any character should be allowed. It's going to be hashed and only the hash will be stored right? Length and character limits make me suspect it's being stored in plain text.

[-] AliasVortex@lemmy.world 24 points 3 months ago* (last edited 3 months ago)

I don't know about a min length; setting a lenient lower bound means that any passwords in that space are going to be absolutely brute force-able (and because humans are lazy, there are almost certainly be passwords clustered around the minimum).

I very much agree with the rest though, it's unnerving when sites have a low max length. It almost feels like advertising that passwords aren't being hashed, and if that's the case there's a snowball's chance in hell that they're also salted. Really restrictive character sets also tell me that said site / company either has super old infra or doesn't know how to sanitize strings (or entirely likely both)...

load more comments (3 replies)
[-] frezik@midwest.social 12 points 3 months ago

Rules here are 64 as a reasonable maximum. A lot of programmers don't realize that bcrypt and scrypt max at 72 bytes (which may or may not be the same as 72 characters). You can get around it by prehashing, but meh. This is long enough even for a reasonable passphrase scheme.

load more comments (1 replies)
load more comments (8 replies)
[-] BelatedPeacock@lemmy.world 17 points 3 months ago

At roughly 35,000 words and filled with jargon and bureaucratic terms, the document is nearly impossible to read all the way through and just as hard to understand fully.

A section devoted to passwords injects a large helping of badly needed common sense practices that challenge common policies. An example: The new rules bar the requirement that end users periodically change their passwords. This requirement came into being decades ago when password security was poorly understood, and it was common for people to choose common names, dictionary words, and other secrets that were easily guessed.

Since then, most services require the use of stronger passwords made up of randomly generated characters or phrases. When passwords are chosen properly, the requirement to periodically change them, typically every one to three months, can actually diminish security because the added burden incentivizes weaker passwords that are easier for people to set and remember.

A.k.a use a password manager for most things and a couple of long complex passwords for things that a password manager wouldn't work for (the password manager's password, encrypted system partitions, etc). I'm assuming In just summed up 35,000 words.

load more comments
view more: next ›
this post was submitted on 26 Sep 2024
549 points (99.3% liked)

Technology

60105 readers
2127 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS