[Cryptography] Removal of spaces in NIST Draft SP-800-63B

Arnold Reinhold agr at me.com
Sun Apr 2 02:24:31 EDT 2017 


Sent from my iPhone

> On Apr 2, 2017, at 1:31 AM, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
> 
> On Apr 2, 2017 00:39, "Arnold Reinhold" <agr at me.com> wrote:
> > What you suggest may make sense in an historical context,
> > it's the best explanation I've heard so far, but sending clients their
> > password requires that the computer service provider store the
> > plaintext password, which is bad practice and is totally prohibited by
> > the NIST 63B draft. So it's not a justification for space elimination
> > being allowed in 63B.
> 
> While I personally think it also is bad practice, it certainly does NOT require the service provider *store* a plaintext password (at least permanently). You can store via bcrypt, scrypt, etc., whatever way you normally hash it (complete with using a random salt) and just put it through similar authentication processing. The major difference in the authentication is that:
> 1) upon successful authentication, you force the user to immediately change their password to something of their choosing, and
> 2) you generally place a tight time limit on how soon such an emailed password must be used. Say no more than 12 hours, but ideally, maybe 15-20 minutes max. (Presumably, since the user took some action to have the password emailed​ to themselves [e.g., user registration, forgot password flow, call to help desk, etc.]. The user will be expecting the password in an email, to its expiration period can be short.)
> 
> I think the practice of emailing such temporary passwords is dumb for other reasons (some of which can also be overcome with additional complexity), but requiring that the temp password be stored as plaintext is not one of them.
> 
> -kevin
> 

Sorry, I misunderstood. I thought you were describing a situation where the help desk sent a forgetful user the password they had originally established.  In the use case you describe, which I agree has other problems, there is no reason the system generated temporary password would contain spaces in the first place. I've never seen any that did. And I'm not aware of any OS where cutting and pasting into a form field adds leading or trailing spaces, but if that's the problem, only those should be permitted to be removed and perhaps only in the time window during which the temporary password is valid. 

Arnold Reinhold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170402/1c85a138/attachment.html>

More information about the cryptography mailing list