[Cryptography] Removal of spaces in NIST Draft SP-800-63B

Mon Apr 3 21:33:18 EDT 2017

On Mon, Apr 3, 2017 at 4:25 AM, Michael Kjörling <michael at kjorling.se> wrote:
> On 2 Apr 2017 15:17 -0400, from kevin.w.wall at gmail.com (Kevin W. Wall):
>> (And there are ways
>> using JavaScript in web forms, to prevent it from being
>> pasted in in the password confirmation field.)
>
> Which has/have a tendency to break legitimate workflows, including
> non-automated usage of a password manager. I copy and paste usernames
> and passwords from my password manager into the web browser all the
> time, in part because I don't quite trust automation to always get it
> correct. At least if I mess up myself, I know (or am able to figure
> out quickly) which two accounts are involved and can go change those
> passwords without having to guess too much.
>
> If pasting into password fields is broken, I will have to choose a far
> less secure password, because really, there is no way I'm going to
> type a 50+ upper/lower/digits/symbols/hieroglyphs password manually
> every time. Either that, or I go with a competing service. (Yes, I
> _know_ that 50+ is overkill, but I'm already using a password manager,
> so why not add a decent safety margin? It's not like it makes it any
> harder.)
>
> Please don't ever encourage breaking standard workflows, including
> copy and paste.

Two things...
1) I was NOT, by any means encouraging this. I hate it as much as you,
as I also you a password manager and indeed am against it for all the
same reasons that you are.
2) I was discussing this in the CONTEXT of a "password confirmation
field" in the context where a user is (re)setting their password. As
evil as it is there, it is much worse supporting in the actual login
forms (which, unfortunately, I've also seen).

Note I was trying to say what was _possible_, NOT what was _advisable_.

And, in this case, I think you can have your cake and eat it too. If
you restrict pasting *ONLY* for the "password confirmation field" (you
know, that obnoxious place where they insist you re-enter your
password so you didn't mistype it the first time), they COULD also
support a check-box that says "I'm using a password manager and forgo
manually typing my password in to confirm that it is valid." so that
you could completely forgo retyping it the second time for
confirmation purposes.

Of course, developers are generally in a hurry or lazy or both and so do not
typically do that, but I am abhorred to think that you that that I was
advocating it. That was certainly not my intent. I think that in
general, people who do that in their web UIs should be taken out back
to the wood shed and be given a good whuppin'. :)

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.