[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cryptography] Possible reason why password usage rules are such a mess

On 20 Nov 2020 13:36 -0800, from kentborg AT borg.org (Kent Borg):
> (I hope there isn't a "best practices" requirement of changing
> passwords every 30-days in there.)

Even NIST did away with the suggestion/requirement for forced periodic
password changes years ago now. Last I looked, their current
requirements for passwords were far more sane in a modern environment.

Passwords (and passphrases) as a concept aren't perfect, but I agree
with what someone said earlier; even if we come up with a perfect
replacement that has no downsides (sincerely: good luck), we will
still be stuck with the concept of passwords for a long time to come.

Therefore, it seems to me to make sense to not have the perfect be the
enemy of the good enough; and to find ways to actually encourage both
developers and end-users to take steps that we _know_ work for
protecting password-protected assets.

For example: using long, unique, randomly generated passwords _works_,
and we do have the tools (which, admittedly, can be improved in
places) to make using such passwords less awkward. For actual
high-value assets where the reduced usability can be justified by the
increased security, different types of one-time codes or separate
authentication tokens such as for example key fobs, smartcards or
Yubikeys can help raise the bar further for an attacker.

Similarly, proper hashing of passwords before storage _works_, and
that's something that can be implemented without really changing
_anything_ for the user.

Once you're already doing something like, say, using a password
manager instead of remembering and typing in every password by hand,
assuming support for long passwords, the usability difference between
a 10-character password and a 60-character password is effectively
negligible. I have unique, random >60 character passwords to log in to
a few _news site subscriptions_, where about the worst an attacker
could do is to quite literally read the news; not because such a
password is in any way necessary to protect such an account, but
because I might as well. It pretty much guarantees that whatever else
might go wrong, my password there definitely won't be the weak link.

Michael Kjörling • https://michael.kjorling.se • michael AT kjorling.se
 “Remember when, on the Internet, nobody cared that you were a dog?”

The cryptography mailing list
cryptography AT metzdowd.com