[Cryptography] Removal of spaces in NIST Draft SP-800-63B

Jonathan Thornburg jthorn4242 at gmail.com
Tue Apr 4 00:18:39 EDT 2017


I don't usually do "me to", but this is so important it deserves
reinforcement:

On Mon, Apr 03, 2017 at 08:25:51AM +0000, Michael Kj??rling wrote:
> On 2 Apr 2017 15:17 -0400, from kevin.w.wall at gmail.com (Kevin W. Wall):
> > (And there are ways
> > using JavaScript in web forms, to prevent it from being
> > pasted in in the password confirmation field.)
> 
> Which has/have a tendency to break legitimate workflows, including
> non-automated usage of a password manager. I copy and paste usernames
> and passwords from my password manager into the web browser all the
> time, in part because I don't quite trust automation to always get it
> correct. At least if I mess up myself, I know (or am able to figure
> out quickly) which two accounts are involved and can go change those
> passwords without having to guess too much.

+1.


> If pasting into password fields is broken, I will have to choose a far
> less secure password, because really, there is no way I'm going to
> type a 50+ upper/lower/digits/symbols/hieroglyphs password manually
> every time. Either that, or I go with a competing service. (Yes, I
> _know_ that 50+ is overkill, but I'm already using a password manager,
> so why not add a decent safety margin? It's not like it makes it any
> harder.)

I tend to do more like
  dd if=/dev/arandom bs=50 count=1|alphanumeric.encode
(in another window, on an OS where /dev/arandom is a high-quality
cryptographic random-number generator) and cut-n-paste 15-20 characters
from the output of that command into my "password-manager" and into the
offending web form.  Even if the website internally mono-cases the
password (as, e.g., one of my utility-bill-payment sites does),
that still gives > 5 bits of entropy/character.

Some web forms then complain that I must have (e.g.) >= 1 digit,
 >= 1 punctuation character (often without telling me the allowed set
of punctuation characters), >= 1 lower-case letter, and >= 1 upper-case
letter.  Since I already have plenty of entropy I just change one or two
of the characters to punctuation marks by hand, not bothering to use a
full cryptographic-random-number generator for those.

But the final entry into the web form is always by cut-n-paste if
it's allowed.  Disabling pasting into the webform is the (yet another)
mark of a clueless website.

-- 
-- "Jonathan Thornburg [remove -color to reply]" <jthorn4242 at gmail-pink.com>
   Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
   "There was of course no way of knowing whether you were being watched
    at any given moment.  How often, or on what system, the Thought Police
    plugged in on any individual wire was guesswork.  It was even conceivable
    that they watched everybody all the time."  -- George Orwell, "1984"


More information about the cryptography mailing list