Kevin P. FlemingJan 28, 2023

In today's episode of 'website security theatre' we present the US Government's "TreasuryDirect" site.

They don't just disable copy-and-paste into the password field, they disable *keyboard entry* into the password field. You are required to click buttons on this virtual keyboard in order to enter your password. Kudos to them for making high-entropy random passwords difficult to use!

Oh, and the password is also case-insensitive, probably because implementing shift-key support in the virtual keyboard would have been too complex.

#Password #SecurityTheatre

Show threadJohn GordonJan 28, 2023

@kevin Some time ago NIST, which gov follows, made noises about redoing their always bad and long obsolete password recommendations. I don’t know if they ever got out. Maybe they would have embarrassed too many.

In my fed days I was told we must memorize all our passwords, never write them down, and change them monthly ….

Show threadGarth Kidd
@jgordon @kevin NIST changes did get out! No periodic resets, prioritise length over complexity rules, use password blocklists… some great stuff in here https://pages.nist.gov/sp800-63b.html
NIST Special Publication 800-63B

NIST Special Publication 800-63B

Jan 28, 2023 at 9:09pmWeb