Submission + - Ask Slashdot: Password standards? 9
eggegick writes: Is there some sort of official standard for password length and
complexity that we can ask organizations to use? Every site I visit
has its own idea of the minimum and maximum number of characters, the
number of digits, the number of upper/lowercase characters, the number
of punctuation characters allowed and even what punctuation characters
are allowed and which are not.
The limit of password size really torques me, as that suggests they
are storing the password (they need to limit storage size), rather
than its hash value (fixed size), which is a real security blunder.
Also, the stupid dots drive me bonkers, especially when there is no
"unhide" button. For crying out loud, nobody is looking over my
shoulder! Make the "unhide" default.
I know the NIST has recommendations, but they are fuzzy, not a simple
statement you can give to Grandma.
complexity that we can ask organizations to use? Every site I visit
has its own idea of the minimum and maximum number of characters, the
number of digits, the number of upper/lowercase characters, the number
of punctuation characters allowed and even what punctuation characters
are allowed and which are not.
The limit of password size really torques me, as that suggests they
are storing the password (they need to limit storage size), rather
than its hash value (fixed size), which is a real security blunder.
Also, the stupid dots drive me bonkers, especially when there is no
"unhide" button. For crying out loud, nobody is looking over my
shoulder! Make the "unhide" default.
I know the NIST has recommendations, but they are fuzzy, not a simple
statement you can give to Grandma.
There IS a standard. NIST SP800-63. (Score:2)
In fact, there is a standard for passwords, from the National Institute of Standards and Technology. It's NIST Special Publication 800-63. Not sure why you think it's fuzzy. Part B section 5.1.1 on memorized secrets is quite precise.
Briefly:
* Minimum 8 characters
* Must allow at least 64 characters.
* No constraints on what printing characters can be used (including high unicode)
* No requirements on what characters must be used or in what order or proportion
This is expected to be paired with a system which do
Re: (Score:2)
As much as we have the passwords today even those standards are quickly becoming obsolete.
The 8 character password can today be cracked within 8 hours and considering the computing performance increase the time is getting shorter and shorter.
A 2 factor authentication is what you'd need today, unfortunately there are many different and they too have weaknesses. Add to it that with many security measures you can increase the security but also impact the reliability of your computing solution.
E.g. if you put a
Re: (Score:2)
The 8 character password can today be cracked within 8 hours and considering the computing performance increase the time is getting shorter and shorter.
That is not an accurate statement. More precisely, you haven't stated the conditions in which that is possible. Nor considered the constraints those conditions place on the utility of doing so.
The main thing is: if you followed good practices and used different passwords everywhere, the likelyhood is that anyone successfully acquiring the cryptographic hash has already breached the system in a way that grants access to everything your password protected. Not always, but 99%.
On the other hand, someone attemp
Re: (Score:2)
The report can be found here: https://www.hivesystems.io/blo... [hivesystems.io]
8 hours for a complex 8 character password given that you have access to the encrypted password and I'd say that you shall expect that it's the case since there are always trojans and other methods of fishing out the encrypted data.
6000 years - that's probably if you use 1990's technology.
Re: (Score:2)
I guess you didn't actually read that report, you just looked at the table. If you'd read the report, you'd understand that it depends on (A) having access to the hash and (B) which hash algorithm was used.
The correct takeaways from their analysis was:
1) Don't reuse passwords. If your hash is captured from one system, it can be cracked and then your password used anywhere else you used it.
2) Don't design security systems which presume that the hash can be safely transmitted to lower-trust systems (I'm looki
Re: (Score:2)
We need to move beyond passwords. At least use 2FA. Trying to secure a password is almost always going to fail.
Re: (Score:2)
That sort of blanket thinking is in error. Use an authenticator that's appropriate to the asset you're trying to protect. And make transactions for any important asset reversible upon discovery of fraud.
2FA has an important place in the set of solutions, but there are plenty of places where it can't be realistically sustained. Protect a system a customer uses once a year with a cell phone authenticator app alongside the password? Every other time they use it, they'll have gotten a new cell phone and lost th
There are "n" standards, I mean "n+1" standards (Score:1)
Standards [xkcd.com]
Re: (Score:2)