[Cryptography] Removal of spaces in NIST Draft SP-800-63B

Kevin W. Wall kevin.w.wall at gmail.com
Sun Apr 2 01:31:07 EDT 2017


On Apr 2, 2017 00:39, "Arnold Reinhold" <agr at me.com> wrote:
> What you suggest may make sense in an historical context,
> it's the best explanation I've heard so far, but sending clients their
> password requires that the computer service provider store the
> plaintext password, which is bad practice and is totally prohibited by
> the NIST 63B draft. So it's not a justification for space elimination
> being allowed in 63B.

While I personally think it also is bad practice, it certainly does NOT
require the service provider *store* a plaintext password (at least
permanently). You can store via bcrypt, scrypt, etc., whatever way you
normally hash it (complete with using a random salt) and just put it
through similar authentication processing. The major difference in the
authentication is that:
1) upon successful authentication, you force the user to immediately change
their password to something of their choosing, and
2) you generally place a tight time limit on how soon such an emailed
password must be used. Say no more than 12 hours, but ideally, maybe 15-20
minutes max. (Presumably, since the user took some action to have the
password emailed​ to themselves [e.g., user registration, forgot password
flow, call to help desk, etc.]. The user will be expecting the password in
an email, to its expiration period can be short.)

I think the practice of emailing such temporary passwords is dumb for other
reasons (some of which can also be overcome with additional complexity),
but requiring that the temp password be stored as plaintext is not one of
them.

-kevin
--
Blog: http://off-the-wall-security.blogspot.com/  |  Twitter:  @KevinWWall
NSA: All your crypto bit are belong to us.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170402/8d64386c/attachment.html>


More information about the cryptography mailing list