[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cryptography] Possible reason why password usage rules are such a mess

On Mon, Nov 16, 2020, at 3:16 PM, Arnold Reinhold via cryptography wrote:
> o Larger minimum password length (SP 800 63B requires 8 characters, but 
> this is to few. 10 or 12 should be the minimum)

Unfortunately, people seem to have problems remembering passwords
over 8 characters. I think they chose this number by studying passwords
that people were likely to come up with in the absence of any criteria.

> o Special treatment required for password reset answers (e.g. 
> segregated server with separate backup and restricted connectivity)

This sounds expensive -- help desk time for password resets can be a
nontrivial percentage of all support calls.

> o Offering system generated password or passphrases, preferably in 
> several formats, e.g.
>   Random pass phrase with different word lists
>   Random letters with mnemonic sentences
>   Random pronounceable syllable groups 

The latter two seem to help the most. People who might not be able to
remember a >8 char password can remember a nonsense babble

> o Smart throttling 
>     Higher limit for longer passwords 
>     No dings for blank password or repeat of previous try
>     Non bricking — no extreme lockout (>6 hours)
>     Notification of possible caps lock

Along with proper hashing, this is likely the best change that can be done
with no user involvement. Long-ish delays decrease the chance someone
will walk in and guess the password, and give an IDS ample time to see
the attempts.

> o Encouraging people to use password managers, at least for most passwords

Difficult. Most implementations require the user to transfer a file around.
It might be best to have a key padding scheme, but for mnemonic passwords.
Maybe make it available as an app.

> o Encouraging people to write down non-managed passwords, with 
> suggestions for safe places. It’s no longer reasonable to expect 
> ordinary users to memorize all the passwords or passphrases users need, 
> if they are to be strong enough. 

Realizing this can be okay is good, but can be remedied by choosing shorter
passwords. An actionable threat model is someone walking into the office
and touching a computer. Many businesses fail this, including banks. The
passwords are either nonexistent(!) or on the machine..
The cryptography mailing list
cryptography AT metzdowd.com