Kevin P. FlemingJan 28, 2023

In today's episode of 'website security theatre' we present the US Government's "TreasuryDirect" site.

They don't just disable copy-and-paste into the password field, they disable *keyboard entry* into the password field. You are required to click buttons on this virtual keyboard in order to enter your password. Kudos to them for making high-entropy random passwords difficult to use!

Oh, and the password is also case-insensitive, probably because implementing shift-key support in the virtual keyboard would have been too complex.

#Password #SecurityTheatre

Show threadJohn GordonJan 28, 2023

@kevin Some time ago NIST, which gov follows, made noises about redoing their always bad and long obsolete password recommendations. I don’t know if they ever got out. Maybe they would have embarrassed too many.

In my fed days I was told we must memorize all our passwords, never write them down, and change them monthly ….

Show threadMartin Gleadow

@jgordon @kevin they did. I still have to argue with auditors who expect behaviours now considered counterproductive by NIST (and in the UK, NCSC)

The one that causes the most friction is enforced password rotation, which just causes ${sports team}.${month number} passwords.

I once worked somewhere where 90% of the employees passwords right now would be blades01 or wednesday01

(Both local football (soccer) teams here)

Jan 28, 2023 at 4:47pmWeb