[Info-vax] Enhanced Password Management
Craig A. Berry
craigberry at nospam.mac.com
Fri Mar 22 19:01:57 EDT 2019
On 3/22/19 3:46 PM, Stephen Hoffman wrote:
> On 2019-03-22 16:55:40 +0000, Dave Froble said:
>
>> "BAD" is many times "in the eyes of the beholder" ....
>>
>> That said, including the capability to do "good" (same perspective as
>> bad) should be available ....
>>
>> Perhaps I'm not understanding this topic. Is it incompatible to allow
>> both what certain customers want, and current best practices,
>> according to NIST?
>
> It's that the documentation doesn't state that NIST suggests that these
> password filters are a Bad Idea, and for the following reason.
How do you know it doesn't (or won't)? The latest announcement from two
days ago just says that the field test is now complete and brought some
code and documentation changes that will be in the final release next
month. If you participated in the field test and provided there the
feedback provided here, I suspect it will get a mention.
> It's that the documentation here doesn't make clear what might be the
> VSI opinion around password filters, and an obvious inference given NIST
> recommendations and published papers on this topic is that VSI isn't
> concerned about weakening their customer security.
Yes, it seems pretty obvious they are just playing catch-up and doing
what everybody else has been doing (and is mostly still doing), e.g.,
<https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements>
A more interesting question is why VSI's DoD customers (as well as a
slew of auditors, corporate security officers, certification providers,
authentication providers like Auth0, etc.) require following the older
NIST guidelines from before NIST did an about-face a couple of years ago?
By the way, OWASP's current recommendations are to double down on
password complexity and make them more complex rather than abandon the
idea, and also, despite NIST, require frequent password changes:
<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md>
<https://www.youtube.com/watch?v=zUM7i8fsf0g>
I am not a security expert, but have long felt that lengthy,
easy-to-remember passphrases that never change are the best kind of
remembered secret ("I went on holiday to Timbuktu in 2002!"). It's
interesting that some, but not all, security experts have changed their
minds about password complexity and password change requirements and now
recommend what I've always wanted to do (when I was allowed to). Is
NIST the gospel? Are people who disagree with the latest NIST standards
and prefer the older ones ignorant that anything has changed, or is it a
principled disagreement and they genuinely believe the complexity and
change requirements are worth the burden on the user? Dunno.
More information about the Info-vax
mailing list