somniator Posted May 18, 2018 Report Share Posted May 18, 2018 Quote Security Is Our Highest Priority Quote Passwords must contain at least one number and one punctuation mark These contradict one another. Any password characters limit decrease password security. Quote Link to comment Share on other sites More sharing options...
laurin1 Posted May 18, 2018 Report Share Posted May 18, 2018 What limit are you referring to? The enforcement of numbers and punctuation marks? Quote Link to comment Share on other sites More sharing options...
somniator Posted May 18, 2018 Author Report Share Posted May 18, 2018 Exactly. See NIST Special Publication 800-63B: Verifiers SHOULD NOT impose other composition rules. Quote Link to comment Share on other sites More sharing options...
laurin1 Posted May 18, 2018 Report Share Posted May 18, 2018 I've worked in I.T. a long time and I flat out disagree with that publication. If the authentication process doesn't enforce rules like that, users will definitely create passwords like "123456789" or "aaaaaaaa" (on systems that allow such, I've seen it happen) which are much easier to brute-force hack (or even guess). For that matter, that document conflicts with itself: Quote Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. But above that the document states: Quote When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to: Passwords obtained from previous breach corpuses. Dictionary words. Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’). Context-specific words, such as the name of the service, the username, and derivatives thereof. The rationale is given here: Quote Q13: Are password composition rules no longer recommended? A13: SP 800-63B Section 5.1.1.2 paragraph 9 recommends against the use of composition rules (e.g., requiring lower-case, upper-case, digits, and/or special characters) for memorized secrets. These rules provide less benefit than might be expected because users tend to use predictable methods for satisfying these requirements when imposed (e.g., appending a ! to a memorized secret when required to use a special character). The frustration they often face may also cause them to focus on minimally satisfying the requirements rather than devising a memorable but complex secret. Instead, a blacklist of common passwords prevents subscribers from choosing very common values that would be particularly vulnerable, especially to an online attack. Composition rules also inadvertently encourage people to use the same password across multiple systems since they often result in passwords that are difficult for people to memorize. I agree with their reasoning, but don't believe removing those rules accomplishes the goal indicated. Especially that last line - even for myself, the only thing that finally broke me of that (because I have to 100's of passwords) is using a password manager. Seems that pushing PM's and / or 2FA is much better advice than removing those rules as recommendation. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.