|
A Man With A Plan posted:Where I work a lot of business processes depend on a basically defunct software suite that has 90s era password requirements like no punctuation except exclamation points, no more than 3 of the same character class in a row, etc. So if you don't want random things to fail, your domain password also has to follow these requirements this is sadly the case in a lot of massive businesses, especially banks and financial services because they rely on a bunch of crap running on old rear end mainframes that don't really support modern authentication because accounts were meant for timesharing
|
# ? May 8, 2022 03:46 |
|
|
# ? Apr 26, 2024 04:07 |
|
Subjunctive posted:if they misenter the email address, where exactly do you send the reset email? that's the customer retention team's problem, not the sign up team
|
# ? May 8, 2022 03:47 |
|
A Man With A Plan posted:Can anyone explain why, with full benefit of doubt, a website would disallow pasting passwords? What conceivable security benefits are there? Most security is theater. The average user is an idiot and thinks more restrictions = more security. This guides 90% of security rules. See the TSA, websites, corporate security, etc.
|
# ? May 8, 2022 04:36 |
|
mystes posted:Weird requirements are great for making it hard to use randomly generated passwords and reducing reuse!
|
# ? May 8, 2022 04:59 |
|
my favourite password field allows pasting and autofill, but has an event handler on it that disallows submitting the form without having at least one keypress event luckily, tab counts or it would be even more annoying
|
# ? May 8, 2022 05:57 |
|
CMYK BLYAT! posted:still higher than when i sold off my options in april 2020 lol The hilarious thing is that NIST, who gathers and verifies and disseminates standards, specifically changed the standard so that arbitrary password expiration (including periodic expiration) is not recommended. Password expiration should instead be done only when there is evidence of compromise (such as malicious activity or if someone steals the hash). They also specifically say that password complexity is not recommended and a blacklist of common passwords is a better alternative. They also recommend that users be able to paste passwords in order to use password managers.
|
# ? May 8, 2022 06:15 |
|
https://pages.nist.gov/800-63-FAQ/ Here's a faq with more info. I like to forward this information to people so that they know that their security theater policies are actively harming user security.
|
# ? May 8, 2022 06:17 |
|
A Man With A Plan posted:Can anyone explain why, with full benefit of doubt, a website would disallow pasting passwords? What conceivable security benefits are there? i looked for a result on quote:Premise it's not what you shitpost, it's how
|
# ? May 8, 2022 06:28 |
|
sounds like a great way to make sure i can't log in if i'm even slightly drunk, or if my keyboard is at a different angle, or a bunch of other reasons
|
# ? May 8, 2022 06:35 |
|
don't worry, password managers actually work fine, i tested 4 of them that are all in-browser extensions what's that? not using a browser based password manager? quote:Now it's true, some password managers don't auto-populate fields and have little/no integration with your browser; KeePass is a prime example. In that scenario, you would be unable to copy/paste from KeePass to the password field. You still haven't "broken" the password manager or measurably decreased security... only the user-experience (UX) is affected. if you remove guard rails from a cliff, you haven't broken or decreased safety, you've just changed the user experieeeeeeeeeeeeeeeee💨
|
# ? May 8, 2022 06:46 |
|
Subjunctive posted:if they misenter the email address, where exactly do you send the reset email? blast each password reset email to every possible email address within an edit distance of 1 of the typed-in address for important things though you want to make super sure the user gets their password reset emails, so mb use an edit distance of 2 or 3 if you're a financial institution
|
# ? May 8, 2022 06:56 |
|
Zamujasa posted:i looked for a result on that's loving horseshit, and not just because Shame Boy posted:sounds like a great way to make sure i can't log in if i'm even slightly drunk, or if my keyboard is at a different angle, or a bunch of other reasons while that's a valid concern, even if you're completely sober i guarantee your typing habits on a touch keyboard vs a physical one are very different
|
# ? May 8, 2022 07:03 |
|
oh absolutely, the entire argument is dumb as poo poo and that guy is a clown
|
# ? May 8, 2022 07:08 |
|
sb hermit posted:https://pages.nist.gov/800-63-FAQ/ cant take nist advice, its the us which means its basically cia and the recommendations are in some clever way actually weakening your security this is a tinfoil hat take but i am sure people think like this in countries other than the us otoh did the same org not recommend those weakened ecc curves?
|
# ? May 8, 2022 07:30 |
|
Funny enough, I use keepass because it doesn't integrate with my browser. That way, I know how to backup, migrate, and test my password databases. Also, if there's some insane 0day that completely breaks firefox and chrome and forwards all passwords to a website using a watering hole attack, I'll still be ok because keepass would be in a completely separate process.
|
# ? May 8, 2022 07:31 |
|
Penisface posted:cant take nist advice, its the us which means its basically cia and the recommendations are in some clever way actually weakening your security nist has nothing to do with the cia or encryption (beyond publishing standards other agencies or entities come up with). they send out a rfc and get responses, pick one and publish it. the cia actually has to follow their guidelines, not the other way round e: you might be thinking of the nsa, which is responsible for cryptanalysis. they did modify some pseudorandom number generator, but that's the nsa's remit anyway Beeftweeter fucked around with this message at 07:50 on May 8, 2022 |
# ? May 8, 2022 07:43 |
|
sb hermit posted:Funny enough, I use keepass because it doesn't integrate with my browser. That way, I know how to backup, migrate, and test my password databases. keepass on dropbox has been very needs-suiting (at least before dropbox added the client limit)
|
# ? May 8, 2022 07:46 |
|
Beeftweeter posted:nist has nothing to do with the cia or encryption (beyond publishing standards other agencies come up with). the cia actually has to follow their guidelines, not the other way round my point is that an american security recommendation ended up being malicious, thereby tainting subsequent recommendations i dont think it matters here which institution does what
|
# ? May 8, 2022 07:49 |
|
Penisface posted:my point is that an american security recommendation ended up being malicious, thereby tainting subsequent recommendations well, until the eu starts mandating standards for this poo poo i don't know if some other country or intergovernmental agency would be much better or less susceptible to pressure (and tbh the eu would be a stretch to trust too)
|
# ? May 8, 2022 07:52 |
|
Penisface posted:cant take nist advice, its the us which means its basically cia and the recommendations are in some clever way actually weakening your security Yes. That was the insane dual ecc backdoor. Although I have hardly ever seen it used in practice, even when it was part of the standard (and yes, it has already been withdrawn). https://en.m.wikipedia.org/wiki/Dual_EC_DRBG It is an incredibly big black eye for NIST, who recommended it based on guidance from NSA. Given that NSA is responsible for other lapses including the accidental release of their EternalBlue exploit (which lead to the WannaCry worm: https://en.m.wikipedia.org/wiki/WannaCry_ransomware_attack), they seem to be more interested in finding and fixing vulnerabilities than hoarding them (see: https://en.m.wikipedia.org/wiki/Ghidra) You don't have to trust NIST, but a lot of US based organizations have to follow their guidance and they have a lot of good common sense suggestions that are backed by a lot of analysis. If you have to convince someone of something, and NIST already backs that position, then it's not a bad idea to crib their work and save you some time. One last point. NIST is pretty clear and public about requirements for systems that require high security. This is because they want to encourage use of commercial tech instead of expensive custom built solutions (see: csfc). So it makes little sense to require use of insecure curves or algorithms if other countries would be able to find any flaws.
|
# ? May 8, 2022 07:55 |
|
I mean, there's little point to thinking that there's a conspiracy afoot when NIST recommends against arbitrary password expiration. A lot of it is just reasonable stuff, although quite exhaustive. It's the inscrutable stuff, like crypto algorithms, that would rightly tend to attract a more jaundiced eye. Probably why wireguard doesn't use any of the NIST approved algorithms (as far as I know). But as another poster said before, NIST generally just picks whatever makes sense. It should be pointed out that AES was not initially developed in the states, but in Belgium. Same with the SHA-3 family. If there was a flaw introduced, then surely the original developers would have spoken up. EDIT: fix misspelling sb hermit fucked around with this message at 08:22 on May 8, 2022 |
# ? May 8, 2022 08:08 |
|
Penisface posted:cant take nist advice, its the us which means its basically cia and the recommendations are in some clever way actually weakening your security The real power in a NIST policy guidance document isn't whether it's right or not. It's that if you do it that way it's also harder to sue you or deny insurance claims if something goes tits up and that the opposite applies too - if you don't it's easier to have both of those things happen. That only applies to US companies though. That NIST is objectively correct in their guidance means that the above is useful in forcing people to abandon stupid timewasting stuff like automatic password expirations. El Mero Mero fucked around with this message at 08:23 on May 8, 2022 |
# ? May 8, 2022 08:21 |
|
The Dual_EC_DRBG was an awful idea and it really undermined trust in the NIST, which is unfortunate because they do make good standards. What bugs me about this though is that people just think NIST = NSA = bad without applying critical thinking. The whole point of Dual EC was that it was supposed to be a NOBUS backdoor. You needed to know secret values to be able to use it.* Weakening password requirements has no such limitations, anyone can crack passwords more effectively that way, there's no secret keys you need to know, you don't need a secret NSA supercomputer or something. Anyone can do it. Do you really think the NIST would want to weaken password complexity requirements for everyone? Coupled with the fact that NIST standards are applied mostly within the US, why would they want to weaken US password security mainly? How does weakening US security and not other countries help the NSA in any way? *This worked until someone else figured it out, hacked Juniper and replaced those secret values with their own. So much for NOBUS. More like NOBTHEM.
|
# ? May 8, 2022 08:28 |
|
Penisface posted:my point is that an american security recommendation ended up being malicious, thereby tainting subsequent recommendations tbf NIST was as mad as everyone else that that happened, they genuinely didn't seem to be in on it at all.
|
# ? May 8, 2022 09:07 |
|
spankmeister posted:Do you really think the NIST would want to weaken password complexity requirements for everyone? Coupled with the fact that NIST standards are applied mostly within the US, why would they want to weaken US password security mainly? How does weakening US security and not other countries help the NSA in any way? i dont really think they want that. its just that thanks to this past violation of trust, i am sure people are more distrustful of any recommendations, and sometimes those people are not technical enough to think about it more than “americans lied”, and sometimes those people are decisionmakers too of course this applies mostly outside of the united states
|
# ? May 8, 2022 09:08 |
|
i guess the real question is: how much are nist a tool of united states foreign policy? and will their quality of service suffer if its needed for us global hegemony? idk this is probably not so relevant for information security either, so sorry about the derail
|
# ? May 8, 2022 09:14 |
|
sb hermit posted:The hilarious thing is that NIST, who gathers and verifies and disseminates standards, specifically changed the standard so that arbitrary password expiration (including periodic expiration) is not recommended. Password expiration should instead be done only when there is evidence of compromise (such as malicious activity or if someone steals the hash). They also specifically say that password complexity is not recommended and a blacklist of common passwords is a better alternative. this is precisely the document i quoted in the "why are we doing this, don't" ticket however, the person implementing the system roundly ignored this, since "making an actually good system" was less their goal than "making a system, that they think is good, so they can tell execs they made a good system". improving the system would take valuable time that could be instead spent talking up how good of a system they made Penisface posted:cant take nist advice, its the us which means its basically cia and the recommendations are in some clever way actually weakening your security thankfully most people in charge of this stuff are not c-spam posters. it's kinda a hanlon's razor deal--they don't think the recommendations are bad, they simply have no idea that recommendations exist or that recommendations may exist outside whatever tribal knowledge they've accumulated at all Qtotonibudinibudet fucked around with this message at 09:28 on May 8, 2022 |
# ? May 8, 2022 09:25 |
|
Penisface posted:i guess the real question is: how much are nist a tool of united states foreign policy? and will their quality of service suffer if its needed for us global hegemony? idk NIST's primary purpose is internal standards for the US domestically, like maintaining the atomic clock that sets the government official time, stuff like that. they're probably not going to be used as an international political tool any more than like, the department of fish and wildlife
|
# ? May 8, 2022 09:29 |
|
I don't do anything infosec with NIST but I use a lot of datasets they provide and it's good poo poo but maybe my radiation cross section figures have been sabotaged by a three letter agency
|
# ? May 8, 2022 09:34 |
|
Penisface posted:i guess the real question is: how much are nist a tool of united states foreign policy? and will their quality of service suffer if its needed for us global hegemony? idk Other countries will likely have their own standards, likely written in their own language, so on the surface, the effect is minimal. Businesses will likely only implement the minimum needed to fulfill legal requirements and insurance requirements and whatever will ultimately save enough money to be worth the time to implement. However, for companies providing services to the US government or are otherwise subject to US laws (like HIPAA), or even companies providing services to US government contractors, may need to implement NIST guidance to be able to sell their wares. For example, if you do any encryption of certain kinds of data, you'll need to provide documentation that your cryptographic modules are FIPS 140-2 certified. It's why Samsung phones and the Ubuntu Linux OS have spent a large amount of time and money to be certified. But at any rate, the NIST standards are generally gold, and provide exhaustive coverage on a lot of expansive topics that simply aren't available elsewhere. Unless your requirements demand their use, however, nothing stops you (or anyone else) from just ignoring them. It should be pointed out that weakened standards will be pointed out by researchers and further undermine trust in the organization. Not to mention potential leaks if another backdoored algorithm is shipped. No one wants to buy american products with state mandated back doors and vulnerabilities, so international trust in NIST is key.
|
# ? May 8, 2022 10:07 |
|
Shame Boy posted:NIST's primary purpose is internal standards for the US domestically, like maintaining the atomic clock that sets the government official time, stuff like that. they're probably not going to be used as an international political tool any more than like, the department of fish and wildlife i think in reality this means that software will tend to be built to NIST standards/requirements, because for better or worse most software is built to united states standards, so if the software maker wants to have the biggest market, they better be compliant with NIST i am also quite sure that other countries take heed if NIST changes guidance, since small podunk places simply do not have the resources to build up and maintain a comprehensive information security guidance
|
# ? May 8, 2022 11:18 |
|
Penisface posted:i think in reality this means that software will tend to be built to NIST standards/requirements, because for better or worse most software is built to united states standards, so if the software maker wants to have the biggest market, they better be compliant with NIST there aren't many alternatives for the stuff that matters. NIST is basically codifying "we, an official US govt org, recognize these algorithms that the math researchers came up with". sure, there's like, say, alternatives in the sense that GOST has certified other algorithms developed by Russian cryptographers, and they're sound, but what the gently caress benefit are you getting by using those over the US ones? there's like maybe <100 people with the expertise needed to develop these things in the world, and they're pretty drat good at it. the academics doing so in public are perfectly competent. the academics doing so in private (for the NSA or whatever) aren't magically some order of magnitude more capable, they're just tasked with breaking things rather than building hard to break things, and sometimes they succeed. ultimately, market forces (read: someone making a good implementation of X rather than Y) end up favoring one or the other, but that's not really a comment on suitability or robustness most of the time. offensive cryptographers at the NSA try to break whatever's in use: if everyone was using GOST algorithms, they'd invest far more work into that than they do against the NIST algorithms (or popular non-NIST stuff--surely someone's tasked with finding weaknesses in CHACHA20-POLYwhatever despite it lacking a government endorsement). in practice, the poo poo everyone else uses is good enough for you, since you're on the not-Mossad side of the Mossad/not-Mossad threat model, so GOST crypto is relegated to a smattering of Russian government sites and various post-Soviet militaries there's certainly historical precedent for interference for advantage in both dual EC DRBG or the bullshit around the clipper chip and/or "export grade" cryptography, but there's also precedent in the other direction re the DES improvements. privately and covertly writing algorithmic backdoors in an active area of mathematical research is hard, so most of it ends up being of the explicit "we can gently caress you if we want to" variety like export crypto (a laughably pointless endeavor where the US tries to treat math like advanced manufacturing processes and tooling). dual ec is the odd one out where they tried to do poo poo via math because EC standardization means choosing specific curves to optimize, so there was an actual opportunity, and even then it meant fuckall other than the scandal since nobody used it the NSA is far more likely to, and entirely capable of, compromise vulnerable implementations. compromising the math covertly is hard as poo poo, so they don't rely on it--it's just "wow our jobs our easy af now" gravy if they actually manage to
|
# ? May 8, 2022 12:34 |
|
El Mero Mero posted:That NIST is objectively correct in their guidance means that the above is useful in forcing people to abandon stupid timewasting stuff like automatic password expirations. what makes you feel that it’s objectively correct? I waved that doc in the face of a lot of people because I hate password rotation, but I admit I don’t know enough to actually analyze the evidence and determine that it’s correct. they could be mistaken or manipulated again in some way—what tells you that this is not the case here? (to be clear, I’m not saying rotation is good, I’m just interested in the notion of “objectively correct” here because I don’t have the expertise to come to that sort of conclusion myself)
|
# ? May 8, 2022 12:58 |
|
Routine password rotation is dumb because it just makes people increment numbers If you only make people change passwords when they're actually compromised, you have a better chance of persuading them to actually change it to something completely different
|
# ? May 8, 2022 13:06 |
|
sure, I can imagine (and have) lots of intuitive reasons to not have it as a policy. I argued them before NIST! but NIST aren’t themselves security experts, and I haven’t analyzed the sources they used to come to the conclusion, so it’s sort of a hollow appeal to authority for me to just namedrop NIST
|
# ? May 8, 2022 13:08 |
|
Beeftweeter posted:this is sadly the case in a lot of massive businesses, especially banks and financial services because they rely on a bunch of crap running on old rear end mainframes that don't really support modern authentication because accounts were meant for timesharing eh, TOPSECRET has moved past 8 character long passwords. I forget how long pass phrases can be.
|
# ? May 8, 2022 15:31 |
|
now i want to see a NIST procedural drama. bustin' down doors and kickin rear end for crimes against the metric system, or a hot tip on a group policy enorcing allll the password complexity requirements, rotated weekly.
|
# ? May 8, 2022 15:32 |
|
Zamujasa posted:i looked for a result on switching to colemak for your health and security
|
# ? May 8, 2022 15:39 |
|
fins posted:now i want to see a NIST procedural drama. bustin' down doors and kickin rear end for crimes against the metric system, or a hot tip on a group policy enorcing allll the password complexity requirements, rotated weekly. Nonzero chance that happens, the postal inspection service ran their saturday-morning version of "CSI: Mailbox" for almost 5 years
|
# ? May 8, 2022 16:03 |
|
|
# ? Apr 26, 2024 04:07 |
|
shame on an IGA posted:Nonzero chance that happens, the postal inspection service ran their saturday-morning version of "CSI: Mailbox" for almost 5 years there was also one for the cdc/nih https://www.imdb.com/title/tt0411011/
|
# ? May 8, 2022 16:08 |