All this 2FA, SSH, token / key stuff is garbage. Rectal vascular mapping is the only legitimate security option.
“Please insert your webcam.”
Interesting that unicode support is suggested. Emoji passwords could be fun.
my password is just 20 gigabytes of poop emojis.
Multiple languages.
Yeah, multiple languages or even putting an ê or something in an English password to mix things up. It makes perfect sense to allow.
It’s a good thing they require each codepoint to be treated as one character for the length limit, since “🤔🤣” is 8 bytes on its own, but the unicode prefix is trivial to guess.
The app my work uses to show 401k, pay, request leave, etc details, uses a ridiculous webapp that’s very slow, and on top of this, they nag you literally every 4 months to update your password. I used to be a good boy and memorize a new password each time. Now I just add a new letter into BitWarden and it’s my new password. Apparently this is more secure??
My favorite are some of the work systems that I need to access, but only infrequently, yet still have ridiculous password expiration rules. Nearly every time I log in, before I can access the system I have to change my password because of course it’s expired again. So I change the password, write it down because I’ll never remember it months from now when I need to use that password exactly once to login and change my password yet again.
How about making it illegal to block copying and pasting on website forms. I’m literally more likely to make a mistake by typing a routing number than copying and pasting it. The penalty for should be death by firing into the sun to anyone caught implementing any such stupidity.
Think of the environment!
Less Delta-V to eject them from the solar system.
I circumvent that by right-clicking, then choosing “Inspect element”, then switching to the tab “Console”, then typing $0.value = “TheValueIWantToPaste”. If right-clicking is also disabled, I use either F12 or Tools menu > DevTools.
Or just delete the “readonly” bit. I did that on Treasury Direct for years until they finally removed that nonsense.
Sometimes it’s not “readonly”, but a Javascript thing that “event.preventDefault()” and “return false” during the “onpaste” event. As the event is generally set using elm.addEventListener instead of setting elm.onpaste, it’s not possible to remove the listener, as it’d need the reference for the handler function that was set to handle the mentioned JS event. So simply setting the value directly using elm.value bypasses the onpaste event.
That’s fair, not sure why they’d go through that much effort when DOM attributes exist.
that’s so easy! /s
easier than typing out a long string
And here I wrote an AutoHotKey script to type out my clipboard a character at a time so I can paste stuff into this remote desktop software I’m using that doesn’t support paste…
It’s kinda necessary when the server’s unlock password is 256 characters long and completely random.
Cracking an 8-char on an ordinary desktop or laptop PC can still take quite a while depending on the details. Unfortunately, the existence of specialized crypto-coin-mining rigs designed to spit out hashes at high speed, plus the ability to farm things out into the cloud, means that the threat we’re facing is no longer the lone hacker cracking things on his own PC.
Newer password hashing algorithms have ways of combatting this. For example, argon2 will use a large amount of memory and CPU and can be tuned for execution time. So theoretically you could configure it to take 0.5 seconds per hash calculation and use 1 GB or more of ram. That’s going to be extremely difficult to bruteforce 8 characters.
The trade-off is it will take a second or two to login each time, but if you’ve got some secondary pin system in place for frequent reauthentication, it can be a pretty good setup.
Another disadvantage is the algorithm effectively gets less secure the less powerful your local device is. Calculating that same 0.5s hash on a beefy server vs your phone could make it take way longer or even impossible without enough ram.
Unfortunately, it’s rare that we can control what hashing algorithm is being used to secure the passwords we enter. I merely pray that any account that also holds my credit card data or other important information isn’t using MD5. Some companies still don’t take cybersecurity seriously.
Storing credit card data has its own set of strict security rules that need to be followed. It’s also the credit card company’s problem, not yours, as long as you dispute any fraudulent charges early enough.
I’m coming at this from the perspective of a developer. A user can always use a longer password (and you should), but it’s technically possible to make an 8 character password secure, thus the NIST recommend minimum.
You heard it: stop imposing composition rules!
i had to login for some functions at work. i believe the minimums were 8 characters, 1 caapitol, 1 number. and we all hated it, because the passwords had to be changed every 90 days, and you couldn’t reuse passwords. eventually you are going to run out of things you can reasonably use that you could remember and then would be forced to use some sort of password manager. but OOPSIE you couldn’t install any software on the office computer so you would have to resort to writing them down somewhere. it was a mess.
fortunately corporate decided to just change the entire system adopting most of these rules, min 15 characters, no special character, no hints, no forced changing passwords unless you think you have been compromised or just want to change it. we do have to use 2fa to access some things if you aren’t sitting at the office computer but other than that people are much happier about passwords now.
Stockholm1 (capitol)
90 days later:
Stockholm2
Ah, the downstream effects of compliance teams.
“Hurry we gotta check off all the boxes!!! What do these measures actually address? Don’t know, don’t care! Comply!”
For places that require periodic password changes I always append 2024Q3 or similar on the end of the same password. I KNOW that’s not secure, but f that place for being dumb
I would always just create 1 password and append a number and it’s special char, cycling from 1 to 0; like
1!
,2@
,3#
. Never stayed at a place long enough to go higher than 7 or 8.I never gave a fuck about doing this because it’s the companies fault for applying stupid policies. Whenever I’ve been allowed a password manager, they got real security instead of malicious compliance.
I feel like it’s not a big impact on security if I use 2fa anyway. (Base password)(month)(year) is fine for me 😅
Half the users passwords is going to be {Company}@{YEAR}
Don’t forget classics like Fuck_this_shit1! Fuck_this_shit2!
Any password length (within reason) and any character should be allowed. It’s going to be hashed and only the hash will be stored right? Length and character limits make me suspect it’s being stored in plain text.
Rules here are 64 as a reasonable maximum. A lot of programmers don’t realize that bcrypt and scrypt max at 72 bytes (which may or may not be the same as 72 characters). You can get around it by prehashing, but meh. This is long enough even for a reasonable passphrase scheme.
I don’t know about a min length; setting a lenient lower bound means that any passwords in that space are going to be absolutely brutal force-able (and because humans are lazy, there are almost certainly be passwords clustered around the minimum).
I very much agree with the rest though, it’s unnerving when sites have a low max length. It almost feels like advertising that passwords aren’t being hashed and if that’s the case there’s a snowball’s chance in hell that they’re also salted. Really restrictive character sets also tell me that said site / company either has super old infra or doesn’t know how to sanitize strings (or entirely likely both)…
The only justifiable reason I can see to have a length limit is because longer passwords would take more time to process and they don’t want to deal with that.
Although it would only be on the order of a couple of extra microseconds and I’m not sure how much difference it would really make. But even on cyber security forums the max password length is 64 characters.
But it really doesn’t, unless you’re sending megabytes of text or something. Industry standard password algorithms run the hash a lot of times, and your entry will only impact the first iteration.
I usually set mine to 256 characters to prevent DOS attacks, and also so I don’t need to update it ever. Most of my passwords are actually around 20-30 characters in length (I pick a random length in the slider on my password manager), because I don’t want to be there all day if I ever need to manually enter it (looking at you stupid smart TV…).
Then you’re vulnerable to simple brute force attacks, which if paired with a dumped hash table, can severely cut the time it takes to solve the hash and reveal all passwords.
By any length I meant no maximum length. Obviously you don’t want to use a super short password.
Some kind of upper bound is usually sensible. You can open a potential DoS vector by accepting anything. The 72 byte bcrypt/scrypt limit is generally sensible, but going for 255 would be fine. There’s very little security to be gained at those lengths.
“What’s your password?”
“The letter A.”
the document is nearly impossible to read all the way through and just as hard to understand fully
It is a boring document but it not impossible to read through, nor understand. The is what compliances officer do. I have a (useless) cybersecurity degree and reading NIST publications is part of my lecture.
Useless??? Ever since the pandemic and the need for a robust remote work infrastructure, the amount of cybersecurity related job offers has exploded. And they’re very well paid where I live.
The knowledge and skill are useful, but I can’t say the same for the degree
My career as a sysadmin consistently has me veering toward security and compliance and my brain is absolutely fried on trying to figure out what these huge docs actually mean, how they apply to the things I’m responsible for and what we’re supposed to do about it.
Props to all the folks that can do it without losing their mind.
You need to first understand the grand sturcture of the doc, then cherry pick the content to action points. At least that’s how I do it.
Please ban all the stupid password rules. I would rather just get hacked than be required to come up with an impossible to remember password with ever-increasing requirements once a month. It’s too much.
Please ban all the stupid password rules.
Yes.
I would rather just get hacked […]
Eh, no.
At roughly 35,000 words and filled with jargon and bureaucratic terms, the document is nearly impossible to read all the way through and just as hard to understand fully.
A section devoted to passwords injects a large helping of badly needed common sense practices that challenge common policies. An example: The new rules bar the requirement that end users periodically change their passwords. This requirement came into being decades ago when password security was poorly understood, and it was common for people to choose common names, dictionary words, and other secrets that were easily guessed.
Since then, most services require the use of stronger passwords made up of randomly generated characters or phrases. When passwords are chosen properly, the requirement to periodically change them, typically every one to three months, can actually diminish security because the added burden incentivizes weaker passwords that are easier for people to set and remember.
A.k.a use a password manager for most things and a couple of long complex passwords for things that a password manager wouldn’t work for (the password manager’s password, encrypted system partitions, etc). I’m assuming In just summed up 35,000 words.