[Cryptography] Removal of spaces in NIST Draft SP-800-63B

Kevin W. Wall kevin.w.wall at gmail.com
Sun Apr 2 15:17:23 EDT 2017 

On Sun, Apr 2, 2017 at 2:24 AM, Arnold Reinhold <agr at me.com> wrote:
<snip>
> Sorry, I misunderstood. I thought you were describing a situation where the
> help desk sent a forgetful user the password they had originally
> established.

Well, I've seen that way too many times, but more in
the late 1990s and early 2000s. Note that has mostly
swung towards password reset self-service via password
security questions and answers.

Speaking of which, NIST's suggested wording that you
commented on might actuall be reasonable if applied to
answers of password security questions (which I
generally recommend being hashed in the same manner
that passwords are).

However, unlike passwords, most development shops do
not require that answers to security questions be
confirmed by re-typing the answer in a second time.
But if you hash then, then there is a potential
problems with typos that enven a help desk can't assist
you with. E.g., if the security question that is posed
is something like:

  Q: What address did you live on when you were in 1st grade?
and the user types in
    123  Main St., Denver, CO
(notice the 2 spaces after '3'), when the come back to
answer the security question (if they ever do), the
most likely would type

    123 Main St., Denver, CO

it would not match and the user would not be able to
reset their forgotten password. If the system deletes
multiple spaces before it hashes the security answers,
then this particular typo problem goes away. And doing
so probably does not significantly reduce the
difficulty of guessing the posed security question.
(Those who are really concerned about security are
going to lie about it or use an answer something like
    I lived on a street in some @#&!*#$% house.
or some random string they keep in notes in a password
manager. But I digress.)

For passwords, what I'm describing is seldom a problem
because conventional wisdom is that you confirm the
candidate password by requiring it to be typed in a 2nd
time to prevent this sort of typos. (And there are ways
using JavaScript in web forms, to prevent it from being
pasted in in the password confirmation field.)

I've not bothered to read the NIST document that
Arnold commented on though to know if it deals with
password resets via security questions / answers or
not.

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.

More information about the cryptography mailing list