Mastodawn

SheilaAllen Oct 15, 2024

GREAT change is approaching. NIST will standardise prohibition of requirement of composing passwords from various character styles, and requirement for periodic password changes. These are harmful and obsolete rules. Now they will be treated as a cybersecurity weakness https://pages.nist.gov/800-63-4/sp800-63b.html

NIST Special Publication 800-63B

NIST Special Publication 800-63B

Andrew Zonenberg Sep 24, 2024

@LukaszOlejnik Banning stupid nonsense reset questions too? Nice.

Some of these have already been standardized in previous iterations (e.g. no mandatory password cycling) but I don't recall having seen that one before.

I think the requirement to allow arbitrary Unicode is new (and very much needed).

MicroBlog Castellano Sep 24, 2024

@azonenberg @LukaszOlejnik In the past, there was a problem with unicode chars not being stored as unicode pn certain platforms (I remember a pgp passphrase containing "á" that worked in pgp but not in gpg, since pgp had stored it as pc-850), but nowadays there should be no problem. And Unicode opens a whole world of entropy.

Ysegrim Sep 25, 2024

@azonenberg @LukaszOlejnik Recommendation (SHOULD), not requirement (SHALL).

Charles Choi 최 민수 Sep 25, 2024

@azonenberg @LukaszOlejnik on unicode password support, I truly think it needs to be a requirement for any software that claims to be i18n. It’s absurd to force users whose native language doesn’t use ASCII to use ASCII for their passwords.

Klaus Stein Sep 29, 2024

@kickingvegas @azonenberg @LukaszOlejnik

I am very much in favor of allowing all Unicode in passwords. On the other hands the user interface should warn the user when choosing the password that they may not be able to _produce_ specific characters on other computers/smartphones (e.g. when traveling and using foreign infrastructure). This can easily be an issue for inexperienced users for some services.

Michael Dwyer Sep 24, 2024

@LukaszOlejnik I thought this was already the case, but maybe I'm only thinking of the password rotation requirement.

Unfortunately, despite NIST's stance, the misery will remain for many of us until the PCI (payment card industry) standards also change.

Ben Aveling Sep 24, 2024

@mdwyer There's a bunch of changes in there. Not requiring password rotations was added, fairly recently.
And I was pushing for that for a long time
But I think that "should not" require password rotation goes to far. For some cases, once a year is, IMHO, more than justified.
@LukaszOlejnik

Zimmie Sep 24, 2024

@BenAveling @mdwyer @LukaszOlejnik NIST SP 800-63B (updated 2017-06) section 5.1.1.2:

“Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

Edit: I see now this thread is about the latest version of SP 800-63B! The one I quoted above is 800-63-3, which has been replaced by 800-63-4. Seems they turned a bunch of SHOULD NOTs into SHALL NOTs.

waldi Sep 24, 2024

@mdwyer @LukaszOlejnik PCI got rid of that as well with the last version.

Sindarina, Edge Case Detective Sep 24, 2024

@LukaszOlejnik Direct link to the screenshotted part;

https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver

NIST Special Publication 800-63B

NIST Special Publication 800-63B

Joe Heafner Sep 24, 2024

@LukaszOlejnik Academic IT departments will never accept this.

John Quentin Heywood Sep 24, 2024

@heafnerj They should!

poleguy looking for lost tools Sep 25, 2024

@jqheywood @heafnerj They shall!

Ela Sep 24, 2024

@LukaszOlejnik Sanity! Finally!

Dawn Tåke 🌙

@LukaszOlejnik
Wonder how long till this flows to our insurance and thus IT at work.

tyzbit Sep 24, 2024

@LukaszOlejnik I dropped that into our security channel and watched with glee as they thought they weren't compliant, started enumerating systems that needed updating and then realized that document only talks about federal systems. Jolly good fun.

Jake Carpenter Sep 24, 2024

@LukaszOlejnik Unfortunately it's all completely meaningless until the ISO 27001:2022 follows. It is chock full of hard requirements that are direct contradictions of the NIST.

Brad Ackerman Sep 25, 2024

@jakecarpenter @LukaszOlejnik Fortunately, my current customer set puts NIST first. I don't even know if they look at 27001.

Mark Down Sep 24, 2024

@LukaszOlejnik oh, I hope this time it will be enough to convince the higher-ups that those requirements are no longer sound. Every time I've raised it before, they've never been receptive.

Softwarewolf Sep 24, 2024

@LukaszOlejnik Now do SMS MFA please

noplasticshower Sep 24, 2024

@LukaszOlejnik fucking NIST is the anchor dragging under the cybersecurity ship.

D2 Sep 25, 2024

@noplasticshower @LukaszOlejnik uh, that’s backwards here. USDoCommerce deduced regular expiry was bad (less secure) several years ago. Whole damn cyber I ndustry blithely ignored them.

SpaceLifeForm Sep 25, 2024

Periodic password changes are Security Theatre.

Brad Ackerman Sep 25, 2024

@SpaceLifeForm @LukaszOlejnik Most security theatre is like TSA in that it only indirectly harms security by redirecting resources away from productive work. Periodic password requirements are the higher-grade theatre (like polygraphs) that actively sabotage security.

In3D.ca Sep 25, 2024

@LukaszOlejnik Finally I can stop storing nonsense answers to KBA questions in my password manager.

Why yes, my first pet's name was G0dzi11a7heHun, why do you ask?

スパックマンクリス Sep 25, 2024

@in3dca @LukaszOlejnik

This! I actually had one site that (which I was on the phone with for some reason) said "oh, you'd like to use a secondary password instead of a security question?" and totally cool with it. I was shocked, in a good way.

/\ndy Sep 25, 2024

@LukaszOlejnik YES. YES. A thousand times this.

Bryce Dixon Sep 25, 2024

@LukaszOlejnik Can't wait for my corporation to not follow these rules just to be annoying lol

DelegateVoid Sep 25, 2024

@LukaszOlejnik I still don't get why they should limit the password length.

Zimmie Sep 25, 2024

@delegatevoid @LukaszOlejnik Upper limits on passphrase length are mostly about closing a possible resource exhaustion vector on the authenticating system. If you hash it all down to 64 bytes, there’s no point dealing with passphrases longer than 128 characters. Further characters don’t add any further entropy, but if you have no upper bound, some knucklehead is going to make your server hash the entirety of War and Peace over and over.

DelegateVoid Sep 25, 2024

@bob_zim @LukaszOlejnik Ah yes, that does make sense. Still I would have liked them to put the maximum length at 128. The minimum length should be long enough so no human can possibly remember it (to discourage them from doing exactly that, and to force them to use a password manager) and the maximum has to make sense like you explained.

stephen Sep 25, 2024

Password managers only work for websites. For everything else, and it is most of the systems I deal with, we need to remember the password. And how do we authenticate to our password manager if the passwords are too long to remember?

@bob_zim @LukaszOlejnik

DelegateVoid Sep 25, 2024

@dmaonR @bob_zim @LukaszOlejnik I have over 500 accounts in different systems, I don't remember a single one of them. Password managers work great for any system that requires a password, I don't see why it would only work for websites. What you are probably saying is that you use browsers plugins which help you fill in usernames/passwords in web browsers. And some password managers can also input data into other apps. (Acting as a keyboard or using the copy/paste buffer automatically)

DelegateVoid Sep 25, 2024

@dmaonR @bob_zim @LukaszOlejnik As for authenticating / entering the master password for the password manager, there are many solutions. You can remember a passphrase for that, or like me, you can use a hardware device (in my case a device that authenticates my fingerprint and then inputs the master password as a keyboard). We also built a simple HID device with a very cheap USB chip that stored a master password and typed it into the PC upon touching the device. So I remember nothing.

DelegateVoid Sep 25, 2024

@dmaonR @bob_zim @LukaszOlejnik And if you're looking at open source solutions, #keypass for example allows you to write plugins (C#) that "provide" the master password to keypass so that means you can develop anything you want to act as a master password provider.

stephen Sep 25, 2024

@delegatevoid
These NIST standards are for password authentication. Everything from websites (your use case) to things that require a keyboard and VGA. You are making the argument that everything should use a hardware token. A different set of NIST standards. A different set of risks. Password managers have another set of risks. Okta was compromised via a password manager. Passwords are bad, but you fundamentally misunderstand the scope of the problem.

DelegateVoid Sep 25, 2024

@dmaonR no, I replied to your "Password managers only work for websites. " which is simply not true.

DelegateVoid Sep 25, 2024

@dmaonR and I never made the argument that everything should be a hardware token, I made the argument that one should not be able to remember his/her password.

Marcus Bointon Sep 25, 2024

@LukaszOlejnik @delegatevoid one practical reason is that bcrypt has an input length limit of 72 chars

Obsurveyor Sep 25, 2024

@LukaszOlejnik This is awesome! I had arguments with co-worker programmers at work *years* ago because I didn't enforce some arbitrary character set requirement and this was for a password for an internal, opt-in personal wellness program(i.e. not very important).

agh3 Sep 25, 2024

@LukaszOlejnik When NIST released in 2022 the recommendation to stop requiring password changes....the company I work at had a 90 day change schedule, when I sent them the new NIST guidelines, they updated the password change schedule to 70 days! WTF?

verifiedbisexual

@LukaszOlejnik cringe that they still allow a maximum password length. There's literally no need for that

Latte macchiato

ablobcat_longlong

@miles @LukaszOlejnik Kind of? Bcrypt caps out at 72, and that's what you'll see a lot of stuff using.
Setting that max to at least 64 is pretty solid.

verifiedbisexual

@privateger @LukaszOlejnik Mhhh, I'm reading more about it. I find it silly that bcrypt has a cap at 72 bytes. I don't really have the brainpower right now to understand why that limitation was needed, but I wonder if it could be increased and if we could use a normal hashing function in the first step (from the little I've understood you need an arbitrary limit, but it doesn't have to be 72 bytes), call this algorithm something else and use this one.
Plus the document says it SHOULD be at least 64 characters, not that it SHALL be. And again, it says characters, and says that multiple bytes unicode characters should be counted as one single character, so the 64 characters thing sounds really arbitrary.

@LukaszOlejnik
Maybe when this rule takes effect, I'll finally be allowed to create reasonable, easy-to-remember passwords for #banking apps! They're notorious for having terrible #password requirements.

Morgane Sep 25, 2024

@LukaszOlejnik Does that mean that even passwords looking like gibberish like “3,eF_g87wTKbqxq.” aren't considered as safe enough?

Tachibana Kanade Sep 25, 2024

@LukaszOlejnik @TheShillito A broad interpretation of that would seem to preclude blocking single dictionary words and passwords found in data breaches. Is it the intention that dictionary attacks should be blocked via other mechanisms?

Magnus Ahltorp Oct 1, 2024

@h0m54r @LukaszOlejnik @TheShillito I don’t see any prohibition on testing for non-algorithmic subsets, i.e. wordlist good, characterset bad.

Ascendor Sep 25, 2024

@LukaszOlejnik Wow, this is big.

Bindestrich Sep 25, 2024

@LukaszOlejnik why is different Charakter sets a Bad idea?

P4 Sep 25, 2024

@Bindestriche @LukaszOlejnik it's a bad idea to make specific characters mandatory. Don't force users to tweak their randomly generated high-entropy passwords just because the RNG didn't roll at least two digits or something silly like that.

Spitefully Optimistic Sep 25, 2024

@LukaszOlejnik most apps have problems even displaying Unicode... Hope this goes well for all of us using "árvíztűrő tükörfúrógép" as our default password.

Michael Kohne Sep 25, 2024

@LukaszOlejnik I would like to understand the rationale for making password rotation a 'shall not'. I know it's not helpful, but how is it harmful?

Slothdude Sep 25, 2024

@mhkohne @LukaszOlejnik Results in passwords like “password”, “password2”, “password3”, etc.

Magnus Ahltorp Oct 1, 2024

@mhkohne @LukaszOlejnik password1, password2, password3. Enforced rotation incentives sloppy password practices, since you know that you will have to learn a new one soon anyway.

eobet Sep 25, 2024

@LukaszOlejnik @SM0RVV ooh, will the correcthorsebatterystaple finally be allowed everywhere soon then? 🥳

Erik 📻🪐🚲Sep 25, 2024

@eobet @LukaszOlejnik I sure hope so. And that we never in the future will see: "Please make a password containing letters and numbers, plus at least 5 special characters. And by the way you have to change it every other week."

Richard Walker Sep 25, 2024

@LukaszOlejnik Finally! Thank God!!!

Dainius Happy 🇱🇹 ❤ 🇺🇦Sep 25, 2024

@LukaszOlejnik At last some sober point of view.

Megahertz Sep 25, 2024

@LukaszOlejnik This revamp of memorized secrets started by NIST years ago now. But the world is very slow to adopt this updated guidance, especially financial services organizations.