Kevin P. FlemingJan 28, 2023

In today's episode of 'website security theatre' we present the US Government's "TreasuryDirect" site.

They don't just disable copy-and-paste into the password field, they disable *keyboard entry* into the password field. You are required to click buttons on this virtual keyboard in order to enter your password. Kudos to them for making high-entropy random passwords difficult to use!

Oh, and the password is also case-insensitive, probably because implementing shift-key support in the virtual keyboard would have been too complex.

#Password #SecurityTheatre

Show threadJohn GordonJan 28, 2023

@kevin Some time ago NIST, which gov follows, made noises about redoing their always bad and long obsolete password recommendations. I don’t know if they ever got out. Maybe they would have embarrassed too many.

In my fed days I was told we must memorize all our passwords, never write them down, and change them monthly ….

Show threadMichael K JohnsonJan 28, 2023
@jgordon @kevin NIST published their changes years ago and made a lot of noise about it. I frequently search this up and provide it to folks demanding LUDS and short password expiry...
Show threadJohn Gordon

@mcdanlj @kevin

Good to know! When I last looked they seemed stuck in some pre-release state.

Jan 28, 2023 at 2:19pmWeb
Show threadMichael K JohnsonJan 28, 2023

@jgordon @kevin 2017, with small updates in 2020. Search for "nist password requirements" finds it and related documents.

https://pages.nist.gov/800-63-3/sp800-63b.html

5.1.1.2 Memorized Secret Verifiers
...
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:

  • Passwords obtained from previous breach corpuses.
  • Dictionary words.
  • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
  • Context-specific words, such as the name of the service, the username, and derivatives thereof.If the chosen secret is found in the list, the CSP or verifier SHALL advise the subscriber that they need to select a different secret, SHALL provide the reason for rejection, and SHALL require the subscriber to choose a different value.

...

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.

NIST Special Publication 800-63B

NIST Special Publication 800-63B

Show threadJohn GordonJan 28, 2023

@mcdanlj @kevin

I had it wrong then … i probably last looked 2020. Thanks!!

Show threadakgoodJan 28, 2023

@mcdanlj @jgordon @kevin and there's a major draft update out for review right now that further changes all those SHOULDs to SHALLs

https://pages.nist.gov/800-63-4/sp800-63b.html

NIST Special Publication 800-63B

NIST Special Publication 800-63B

Show threadMichael K JohnsonJan 28, 2023

@akgood @jgordon @kevin Thank you! That's awesome news.

Verifiers SHALL allow the use of password managers. To facilitate their use, verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. Password manangers [sic] may increase the likelihood that users will choose stronger memorized secrets.

I wonder how one would generally allow the use of password managers without allowing paste?

🤔

Show threadJohn GordonJan 28, 2023

@akgood @mcdanlj @kevin

I think sometimes the crazy change mandates are a way to lazily disable access once an employee leaves… (eg. nobody cares about security…)

Show threadBrian DuffyJan 28, 2023
Usually the gotcha is that people with AD based identity don’t have tools for identifying the bad passwords from breaches, etc. You can either spend some dollars OR have complex passwords.