|
What's wrong with minimum length requirements? Other than "passwords shouldn't exist."
|
![]() |
|
![]()
|
# ? Jun 16, 2024 16:32 |
|
CommieGIR posted:Ironically this is after nearly everyone including CISA, NIST, and Microsoft have said: Its all about length, and to that end passphrases, and password expiration is stupid and pointless and only encourages worse passwords. We are still doing doing 3 month password rotations where I am currently at INCLUDING for pins that have to be combined with a OTP. Drives me crazy.
|
![]() |
|
Internet Explorer posted:What's wrong with minimum length requirements? Other than "passwords shouldn't exist." Because the places where password lengths and complixity offer any safety are systems that are going to fail anyway. Its just old boomer poo poo that needs to evolve.
|
![]() |
|
This is your periodical reminder that good password practice was just copy paste from nuclear launch code practice until recently, which is why rotation and long nonsense strings were recommended. Half the point was originally that you shouldn't memorize the codes, which is obviously bad for modern usage of passwords. Anyway, any system that allows you to brute force a password is rubbish. At the very least, lock the account after 10 tries. Then it more or less doesn't matter if your password is 4 or 10 characters.
|
![]() |
|
Sickening posted:Because the places where password lengths and complixity offer any safety are systems that are going to fail anyway. Its just old boomer poo poo that needs to evolve. Well, I didn't say anything about complexity. I'm still going to give guidance that people use longer, simpler passwords instead of focusing on complexity until I hear otherwise. Ideally, they'd use a password manager or passwordless, but for those who still need to actually use passwords, I feel that it is good guidance.
|
![]() |
|
BonHair posted:
any internet facing system is just going to be constantly locked out if that's your policy
|
![]() |
|
CommieGIR posted:Yeah, I do remember reading over 4.0 and they did change it, but IIRC its still awaiting final approval and adoption. 4.0 is out and still requires password length, it's 12 characters with alphanumerics, or 8 characters if you have some old system that can't support more than 8
|
![]() |
|
BonHair posted:Anyway, any system that allows you to brute force a password is rubbish. At the very least, lock the account after 10 tries. Then it more or less doesn't matter if your password is 4 or 10 characters. You'd block the IP / connection, not the account, but it's not worth worrying about because nobody has done door-knock brute-force guessing at the active system for 20 years and that XKCD has been stupid and bad since the day it was posted. Password re-use is an equal or greater threat than password complexity. Phrases are just as hard to memorize with many unique passwords as anything else. patron saint of the thread posted:Now I’m expected to remember both “Gigantic Martian Insect Party” and “Structurally Unsound Yeti Tote-bag,” and I have to somehow recall which phrase is associated with my banking web site, and which one is associated with some other site that doesn’t involve extraterrestrial insects or Yeti accoutrements.
|
![]() |
|
Inept posted:4.0 is out and still requires password length, it's 12 characters with alphanumerics, or 8 characters if you have some old system that can't support more than 8 Really feel like it should be 14 chars minimum alphanumerics
|
![]() |
|
Yes, make me memorize twenty unique passwords and then lock my account after ten failed guesses. This will go well.
|
![]() |
|
Sickening posted:We still trying to focus on password length and complexity like it’s a worthwhile venture. As a person who knows nothing: there must still be some minimum threshold of basic complexity to avoid low-level attacks, right? Or can it literally be loving "cat" nowadays because everything is leaks?
|
![]() |
|
minimum length is not a bad thing tbh complexity isn't bad either - it's just not worth it when you'd usually do better to increase minimum length rotation is actively detrimental to password quality if you have reasonably long passwords, you do not have to worry much about most password leaks.
|
![]() |
|
Some time ago I made a web application that was requiring a login, standard username and password. Originally, I set the minimum password length to 1, since I was of the opinion that is not my job to teach the user how to secure their account. If for you "12" is a perfectly acceptable password, then have at it. However, I received a good piece of advice from someone that made me change my mind: it's all about perception. The user may feel that the site is insecure, just because it doesn't enforce password length and/or complexity. Even though it doesn't have to be, the infrastructure is setup as securely as possible, the passwords are stored salted and hashed, etc. all the good stuff. But perception matters. Of course, the number of calls to support that users could get their account stolen was another incentive. What I ended up doing was to increase the min length (to 8 I believe) and require a number and a capital letter. Dumb, but hey. Also, I added a widget where I would show a "progress bar" of how "secure" their password was when they were setting it. It was also dumb, in the sense that one could set a relatively weak password that the widget would claim that it's good (it was looking for length and letter variations, it was smart enough to know that "aaaaaaaaa123" was bad), but it was better than nothing. Users thought it was amazing.
|
![]() |
|
I'm a big fan of using https://github.com/dropbox/zxcvbn to enforce password requirements, but I've rarely seen it used in the wild.
|
![]() |
|
Klyith posted:Phrases are just as hard to memorize with many unique passwords as anything else.
|
![]() |
|
Cup Runneth Over posted:Yes, make me memorize twenty unique passwords and then lock my account after ten failed guesses. This will go well. Well this is why copy paste functionality and password managers are highly encouraged
|
![]() |
|
CommieGIR posted:Really feel like it should be 14 chars minimum alphanumerics non-console administrative access has required multifactor for a while in PCI and I think that's a better focus
|
![]() |
|
CommieGIR posted:Well this is why copy paste functionality and password managers are highly encouraged Yes, if you require your users to use password managers then you should absolutely lock an account after 5-10 wrong passwords.
|
![]() |
|
I mean, the real solution is probably some sort of SSO with MFA attached, so you don't need separate passwords for every site. Password managers are basically just a stepping stone to that. On the flipside, you're gonna be putting all your eggs in the Azure (it's gonna be Azure) basket, so you need a backup plan for admins at least.
|
![]() |
|
Inept posted:non-console administrative access has required multifactor for a while in PCI and I think that's a better focus True. Multifactor is gonna be a bigger thing than password complexity especially with FIDO2
|
![]() |
|
Password requirements should be complexity or length. The shorter the password the more complex it should be. Password age requirements need to die.
|
![]() |
|
Buff Hardback posted:I'm a big fan of using https://github.com/dropbox/zxcvbn to enforce password requirements, but I've rarely seen it used in the wild.
|
![]() |
|
spankmeister posted:Password requirements should be complexity or length. The shorter the password the more complex it should be. Password age requirements need to die. My one-character password is "∞". Length and complexity, baby!
|
![]() |
|
Klyith posted:Now I’m expected to remember both “Gigantic Martian Insect Party” and “Structurally Unsound Yeti Tote-bag,” and I have to somehow recall which phrase is associated with my banking web site, and which one is associated with some other site that doesn’t involve extraterrestrial insects or Yeti accoutrements. IMO this is where passphrase hints come into play. That first site could have a hint 'the martian one' and the second 'the yeti one' and me sitting here hacking your account would still have no idea what you were on about. But like everybody else said ideally you have one strong passphrase on your password manager and then all your account passwords are just strings of gibberish that you've never even seen.
|
![]() |
|
Who the hell is talking about remembering all these different passwords? That's what password managers are for. You remember a small handful of passphrases the most important one being for your password manager and the rest is automatically generated and stored in your password manager.
|
![]() |
|
spankmeister posted:Who the hell is talking about remembering all these different passwords? That's what password managers are for. You remember a small handful of passphrases the most important one being for your password manager and the rest is automatically generated and stored in your password manager. Seriously, this. Wtf??
|
![]() |
|
I'm curious what people's guesses are for the percentage of workers who use a computer who use a password manager. It's gotta be like 25%, tops.
|
![]() |
|
less than 10
|
![]() |
|
i'll take the under on that, unless you're counting keychain, built-in browser password managers, and similar
|
![]() |
|
Yeah, 25% seems high.
|
![]() |
|
It depends, can we break it up into age brackets. I figure 18-30 is probably 30%. Anything above that is 10% tops. e: I don't have access to the latest browser statistics, but based on a survey conducted by NordPass, about 56% of people use a password manager in 2021. However, it's worth noting that this number may vary depending on the source and the specific population surveyed. That's what chatgpt says. Further edit, if we think about mobile now cause lets face it, our 60 year parents aren't using a computer, they're on a ipad or a droid. I can see it being more prevalent if they actually new how to use it. jaegerx fucked around with this message at 02:38 on Jan 22, 2023 |
![]() |
|
10% or less for sure.
|
![]() |
|
Internet Explorer posted:I'm curious what people's guesses are for the percentage of workers who use a computer who use a password manager. It's gotta be like 25%, tops. I'll take the over, if you include "people that click yes when the browser offers to remember their password".
|
![]() |
|
Achmed Jones posted:if you have reasonably long passwords **and don't re-use them**, you do not have to worry much about most password leaks. fixed (sometimes leaks are plaintext, and your long high-entropy password is no more protection than hunter2) Albinator posted:Not my experience, but that's with generating and keeping most creds in a password manager, so only a need for memorizing a handful of things. Oh yes, definitely! There's absolutely nothing wrong with pass-phrases, they're just not a panacea that solves the problem caused by not using a password manager / living in the passwordless future. Telling people to switch from their oldschool alpha-numer-symbol password to a passphrase, and nothing else, is not much of an upgrade to their security because they will just put correct horse battery staple into every website and service. If your 4 word passphrase is 4 words in the top 10,000 by frequency, it can now be cracked by a single 4090 in ~55.5 hours vs SHA1 hashing. GPUs are getting more powerful all the time. Human memory still sucks.
|
![]() |
|
There are two passwords I know offhand: - My 1Password password - My Mac password That’s literally all I know, both are 4-5 word pass phrases.
|
![]() |
|
leaks are rarely plaintext these days. it happens, but there's a reason i used the qualifier "most".
|
![]() |
|
jaegerx posted:So basically I find the accounting department. Send them a txt I need 10k in $500 Apple Card’s and it works? My mom is 67 and doesn’t fall for that poo poo At $JOB-1 I hired a network consultancy to document a process for us so I could give customers access to a specific server in our DMZ and only that one box. About halfway through the project, with nothing delivered, they invoiced us for all $2700. Accounts Payable paid them. We did not get the documentation. e. Klyith posted:You'd block the IP / connection, not the account, but it's not worth worrying about because nobody has done door-knock brute-force guessing at the active system for 20 years and that XKCD has been stupid and bad since the day it was posted. Twenty years ? In 2008 I inherited ftp.$COMPANY.com. This was a physical box in the server room, a PPC G4 Mac tower running an old version of OS X and a commercial ftp implementation. Naturally I checked that poo poo out. The logs showed that every night we would get exactly 50 attempts to log in to the Administrateur account from IP addresses in Central Europe, mostly in France. They came in over about half an hour, so it wasn't even accidentally a DDOS. Since OS X on a G4 had no exploits in the wild, and the Administrateur account did not actually exist, I let it go. They were still politely knocking on the door 50 times every night 2 years later when I migrated ftp to AWS. The politest botnet ever. I sometimes think I should have put up a honeypot, but the crappy software it was running wouldn't let me set up an ftp account that would take any arbitrary password. mllaneza fucked around with this message at 08:33 on Jan 22, 2023 |
![]() |
|
https://twitter.com/mspfa/status/1616453697139007489 https://twitter.com/mspfa/status/1616454903982919681 Never assume you are too smart to be hacked. PEBKAC
|
![]() |
|
Internet Explorer posted:I'm curious what people's guesses are for the percentage of workers who use a computer who use a password manager. It's gotta be like 25%, tops. A disturbing number of my colleagues save their passwords in plain .txt files and happily copy-paste from them while screen sharing on Teams meetings. I've repeatedly advised them to use KeePass or something, bit they just never do.
|
![]() |
|
![]()
|
# ? Jun 16, 2024 16:32 |
|
Why would you be analyzing malware on your normal workstation and not inside a controlled environment. Why.
|
![]() |