[Cryptography] Possible reason why password usage rules are such a mess
Sid Spry
sid at aeam.us
Tue Nov 17 10:01:25 EST 2020
On Mon, Nov 16, 2020, at 3:16 PM, Arnold Reinhold via cryptography wrote:
>
> o Larger minimum password length (SP 800 63B requires 8 characters, but
> this is to few. 10 or 12 should be the minimum)
>
Unfortunately, people seem to have problems remembering passwords
over 8 characters. I think they chose this number by studying passwords
that people were likely to come up with in the absence of any criteria.
> o Special treatment required for password reset answers (e.g.
> segregated server with separate backup and restricted connectivity)
>
This sounds expensive -- help desk time for password resets can be a
nontrivial percentage of all support calls.
> o Offering system generated password or passphrases, preferably in
> several formats, e.g.
> Random pass phrase with different word lists
> Random letters with mnemonic sentences
> Random pronounceable syllable groups
>
The latter two seem to help the most. People who might not be able to
remember a >8 char password can remember a nonsense babble
password.
> o Smart throttling
> Higher limit for longer passwords
> No dings for blank password or repeat of previous try
> Non bricking — no extreme lockout (>6 hours)
> Notification of possible caps lock
>
Along with proper hashing, this is likely the best change that can be done
with no user involvement. Long-ish delays decrease the chance someone
will walk in and guess the password, and give an IDS ample time to see
the attempts.
> o Encouraging people to use password managers, at least for most passwords
>
Difficult. Most implementations require the user to transfer a file around.
It might be best to have a key padding scheme, but for mnemonic passwords.
Maybe make it available as an app.
> o Encouraging people to write down non-managed passwords, with
> suggestions for safe places. It’s no longer reasonable to expect
> ordinary users to memorize all the passwords or passphrases users need,
> if they are to be strong enough.
>
Realizing this can be okay is good, but can be remedied by choosing shorter
passwords. An actionable threat model is someone walking into the office
and touching a computer. Many businesses fail this, including banks. The
passwords are either nonexistent(!) or on the machine..
More information about the cryptography
mailing list