Here is the text of the NIST sp800-63b Digital Identity Guidelines.

336 points

Reworded rules for clarity:

  1. Min required length must be 8 chars (obligatory), but it should be 15 chars (recommended).
  2. Max length should allow at least 64 chars.
  3. You should accept all ASCII plus space.
  4. You should accept Unicode; if doing so, you must count each code as one char.
  5. Don’t demand composition rules (e.g. “u’re password requires a comma! lol lmao haha” tier idiocy)
  6. Don’t bug users to change passwords periodically. Only do it if there’s evidence of compromise.
  7. Don’t store password hints that others can guess.
  8. Don’t prompt the user to use knowledge-based authentication.
  9. Don’t truncate passwords for verification.

I was expecting idiotic rules screaming “bureaucratic muppets don’t know what they’re legislating on”, but instead what I’m seeing is surprisingly sane and sensible.

permalink
report
reply
117 points

NIST generally knows what they’re doing. Want to overwrite a hard drive securely? NIST 800-88 has you covered. Need a competition for a new block cipher? NIST ran that and AES came out of it. Same for a new hash with SHA3.

permalink
report
parent
reply
26 points

NIST generally knows what they’re doing

For now, at least. Could change after Inauguration Day.

permalink
report
parent
reply
7 points

Didn’t know about sha3.

permalink
report
parent
reply
59 points

I hate that anyone has to be told not to truncate passwords. Like even if you haven’t had any training at all, you’d have to be advanced stupid to even come up with that idea in the first place.

permalink
report
parent
reply
24 points

Microsoft used to do that. I made a password in the late 90’s for a we service and I found out that it truncated my password when they made it after it warned my my password was too long when I tried to log in. It truncated at 16 characters.

permalink
report
parent
reply
7 points

The weirdest one I found was a site that would only check to see if what you entered started with the correct password. So if your password was hunter2 and you tried hunter246, it would let you in.

Which means not only were they storing the password, but they had to go out of their way to use the wrong kind of string comparison.

permalink
report
parent
reply
1 point

The LM password hash (predecessor to NTLM) was calculated in two blocks of 7 characters from that truncated 14 characters. Which meant the rainbow table for that is much smaller than necessary and if your password is not 14 characters, then technically part of the hash is much easier to brute force, because the other missing characters are just padded with null.

permalink
report
parent
reply
8 points

Can you elaborate further? Why would someone want to truncate passwords to begin with?

permalink
report
parent
reply
23 points

To save a few megabytes of text in a database somewhere. Likely the same database that gets hacked.

permalink
report
parent
reply
52 points
*
  1. Don’t truncate passwords for verification.

It needed to be said. Because some password system architects have been just that stupid.

Edit: Fear of other’s stupidity is the mind killer. I will face my fear. My fear will wash over me, and when it has passed, only I will remain. Or I’ll be dead in a car accident caused by an AI driver.

permalink
report
parent
reply
53 points

I’ve seen sites truncate when setting, but not on checking. So you set a password on a site with no stated limit, go to use said password, and get locked out. It’s infuriating

permalink
report
parent
reply
23 points
*

Years back, I had that happen on PayPal of all websites. Their account creation and reset pages silently and automatically truncated my password to 16 chars or something before hashing, but the actual login page didn’t, so the password didn’t work at all unless I backspaced it to the character limit. I forgot how I even found that out but it was a very frustrating few hours.

permalink
report
parent
reply
10 points

Sounds like my bank.

permalink
report
parent
reply
7 points

Another ridiculous policy I’ve seen (many years ago) is logging in too fast. I used to get locked out of my banks website all the time and I used autotype with KeePass so I was baffled when it wouldn’t get accepted. Eventually I had a thought to slow down the typing mechanism and suddenly I didn’t get locked out anymore.

permalink
report
parent
reply
36 points
*

Don’t bug users to change passwords periodically. Only do it if there’s evidence of compromise.

This is a big one. Especially in corporate environments where most of the users are, shall we say, not tech savvy. Forcing people to comply with byzantine incomprehensible password composition rules plus incessantly insisting that they change their password every 7/14/30 days to a new inscrutable string that looks like somebody sneezed in punctuation marks accomplishes nothing other than enticing everyone to just write their password down on a Post-It and stick it to their monitor or under their keyboard.

Remember: Users do not care about passwords. From the perspective of anyone who isn’t a programmer or a security expert, passwords are just yet another exasperating roadblock some nerd keeps putting in front of them that is preventing them from doing whatever it is they were actually trying to do.

permalink
report
parent
reply
32 points

Everyone I’ve spoken to who has a password change rule just changes one character from their previous password. It does NOTHING.

permalink
report
parent
reply
21 points

That works great until some dickhole implements the old, “New password cannot contain any sequence from your previous (5) passwords.”

This also of course necessitates storing (multiple successive!) passwords in plain text or with a reversible cipher, which is another stupid move. You’d think we’d have gotten all of this out of our collective system as a society by now, and yet I still see it all the time.

All of these schemes are just security theater, and actively make the system in question less secure while accomplishing nothing other than berating and frustrating its users.

permalink
report
parent
reply
13 points
*

“I just increment the number at the end” is a phrase I’ve heard so many times

permalink
report
parent
reply
19 points

NIST are bureaucrats sure, but bureaucrats with lots and lots of practical experience.

permalink
report
parent
reply
13 points

Only issue I see is that the 8 chars required is very short and easy to brute force. You would hope that people would go for the recommended instead, but doubt it.

permalink
report
parent
reply
11 points

I was expecting idiotic rules screaming “bureaucratic muppets don’t know what they’re legislating on”, but instead what I’m seeing is surprisingly sane and sensible

NIST knows what they’re doing. It’s getting organizations to adapt that’s hard. NIST has recommended against expiring passwords for like a decade already, for example, yet pretty much every IT dept still has passwords expiring at least once a year.

permalink
report
parent
reply
11 points

re #7, I hope they are also saying no ‘secret questions’ to reset the password?

permalink
report
parent
reply
13 points

Yeah, I think 7 and 8 both cover that. I recently signed up for an account where all of the “security questions” provided asked about things that could be either looked up or reasonably guessed based on looked up information.

We live in a tech world designed for the technically illiterate.

permalink
report
parent
reply
10 points
*

I usually invent answers to those and store those answers in a password manager. Essentially turns them into backup passwords that can be spoken over the phone if necessary.

Where was I born? “Stallheim, EUSA, Mars”

Name of first pet? “Groovy Tuesday”

It’s fun, usually.

permalink
report
parent
reply
5 points

Sarah Palin had her Yahoo mail account hacked because of those “security” questions. In 2008. We should be well past the time where they are a thing.

permalink
report
parent
reply
1 point

I think so, based on the original: “Verifiers and CSPs [credential service providers] SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.” With “shall not” being used for hard prohibitions.

permalink
report
parent
reply
10 points

I think if you do allow 8 character passwords the only stipulation is that you check it against known compromised password lists. Again, pretty reasonable.

permalink
report
parent
reply
6 points
*

That stipulation goes rather close to #5, even not being a composition rule. EDIT: see below.

I think that a better approach is to follow the recommended min length (15 chars), unless there are good reasons to lower it and you’re reasonably sure that your delay between failed password attempts works flawlessly.

EDIT: as I was re-reading the original, I found the relevant excerpt:

If the CSP [credential service provider] disallows a chosen password because it is on a blocklist of commonly used, expected, or compromised values (see Sec. 3.1.1.2), the subscriber SHALL be required to choose a different password. Other complexity requirements for passwords SHALL NOT be imposed. A rationale for this is presented in Appendix A, Strength of Passwords.

So they are requiring CSPs to do what you said, and check it against a list of compromised passwords. However they aren’t associating it with password length; on that, the Appendix 2 basically says that min length depends on the threat model being addressed; as in, if it’s just some muppet trying passwords online versus trying it offline.

permalink
report
parent
reply
6 points

You should accept Unicode; if doing so, you must count each code as one char.

Hmm. I wonder about this one. Different ways to encode the same character. Different ways to calculate the length. No obvious max byte size.

permalink
report
parent
reply
10 points

Who cares? It’s going to be hashed anyway. If the same user can generate the same input, it will result in the same hash. If another user can’t generate the same input, well, that’s really rather the point. And I can’t think of a single backend, language, or framework that doesn’t treat a single Unicode character as one character. Byte length of the character is irrelevant as long as you’re not doing something ridiculous like intentionally parsing your input in binary and blithely assuming that every character must be 8 bits in length.

permalink
report
parent
reply
5 points

It matters for bcrypt/scrypt. They have a 72 byte limit. Not characters, bytes.

That said, I also think it doesn’t matter much. Reasonable length passphrases that could be covered by the old Latin-1 charset can easily fit in that. If you’re talking about KJC languages, then each character is actually a whole word, and you’re packing a lot of entropy into one character. 72 bytes is already beyond what’s needed for security; it’s diminishing returns at that point.

permalink
report
parent
reply
1 point

If the same user can generate the same input, it will result in the same hash.

Yes, if. I don’t know if you can guarantee that. It’s all fun and games as long as you’re doing English. In other languages, you get characters that can be encoded in more than 1 way. User at home has a localized keyboard with a dedicated key for such a character. User travels across the border and has a different language keyboard and uses a different way to create the character. Euro problems.

https://en.wikipedia.org/wiki/Unicode_equivalence

Byte length of the character is irrelevant as long as you’re not doing something ridiculous like intentionally parsing your input in binary and blithely assuming that every character must be 8 bits in length.

There is always some son-of-a-bitch who doesn’t get the word.

  • John F. Kennedy
permalink
report
parent
reply
3 points

It’s crazy that they didn’t include all the “should” items in that list. If you read the entire section, there’s a critical element that’s missing in the list, which is that new passwords should be checked against blocklists. Otherwise, if you combine 1, 5, and 6, you end up with people using “password” as their password, and keeping that forever. Really, really poor organization on their part. I’m already fighting this at work.

permalink
report
parent
reply
1 point
*

I think it’s pretty idiotic to

Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.

They might mean well, but the reason we require a special character and number is to ensure the amount of possible characters are increased.

If a website doesn’t enforce it, people are just going to do a password like password

password is a totally valid password under this rule. Any 8 letter word is valid. hopsital for example.

These passwords can be cracked in seconds under 10 minutes, and have their hashes checked for in leaks in no time if the salt is also exposed in the hack.

Edit: Below

Numbers from a calculator with 8 characters using sha2 (ignoring that crackers will try obvious fill ins like 0 for o and words before random characters, this is just for example)

hospital 5m 23s

Hospital 10m 47s

Hospita! 39m 12s

Moving beyond 8

Hospita!r - 19h 49m

Hospita!ro 3w 4d

Hospita!roo 2y 1m

Hospita!room 66 years

The suggestion of multiple random words makes not needing the characters but you have to enforce a longer limit then, not 8.

At least with 11 characters with upper case and special characters if it was all random you get about 2 years after a breach to do something instead of mere weeks. If it was 11 characters all lower case nothing special you’d only get 2 months and we are rarely notified that fast.

permalink
report
parent
reply
3 points

They might mean well, but the reason we require a special character and number is to ensure the amount of possible characters are increased.

The problem with this sort of requirement is that most people will solve it the laziest way. In this case, “ah, I can’t use «hospital»? Mkay, «Hospital1» it is! Yay it’s accepted!”. And then there’s zero additional entropy - because the first char still has 26 states, and the additional char has one state.

Someone could of course “solve” this by inserting even further rules, like “you must have at least one number and one capital letter inside the password”, but then you get users annotating the password in a .txt file because it’s too hard to remember where they capitalised it or did their 1337.

Instead just skip all those silly rules. If offline attacks are such a concern, increase the min pass length. Using both lengths provided by the guidelines:

  • 8 chars, mixing:minuscules, capitals, digits, and any 20 special chars of your choice, for a total of 82 states per char. 82⁸ = 2*10¹⁵ states per password.
  • 15 chars, using only minuscules, for a total of 26 states per char. Number of states: 26¹⁵ = 1.7*10²¹ states per password.
permalink
report
parent
reply
1 point
*

But they mess that up with their 8 char rule

Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.

I’d they’d just said shall require 15 but not require special chars then that’s okay, but they didn’t.

Then you end up with the typical shitty manager who sees this, and says they recommend 8 and no special chars, and that’s what it becomes.

permalink
report
parent
reply
-26 points

What kind of barbarian puts a space in their password?

permalink
report
parent
reply
44 points

Very common for pass phrases, and not dissuaded. Pass phrases are good for people to remember without using poor storage practices (post it notes, txt file, etc) and are strong enough to keep secure against brute force attacks or just guessing based off knowledge of the user.

permalink
report
parent
reply
10 points

On one hand, that’s true. On the other hand, a person should only need exactly one passphrase, which is the one used to unlock their password manager. Every other password should be randomly-generated and would only contain space characters by chance.

permalink
report
parent
reply
29 points

I’m waiting for backspace to be a valid character

permalink
report
parent
reply
3 points

Also there’s the no space space. But that’s really only useful in hacking bad implementations of html parsers or putting in your code you post online to mess with people.

permalink
report
parent
reply
16 points

gosh who would want an uncommon character that obviously most average people aren’t thinking about in their passwords, that sounds like it might even be somewhat secure.

permalink
report
parent
reply
1 point

hunter 2

unhackable

permalink
report
parent
reply
6 points

My passphrase includes several spaces. It’s another character to assist in entropy.

permalink
report
parent
reply
1 point

I’m with you, despite seeing lemmings downvote the heck out of your comment 😢

The reason, and specifically for whitespace at the beginning or end of a password, is that a lot of users copy-paste their passwords into the form, and for various reasons, whitespace can get pasted in, causing an invalid match. No bueno.

Source: I’m a web developer who has seen this enough times that we had to implement a whitespace-trim validation for both setting & entering passwords.

permalink
report
parent
reply
7 points

Trimming whitespace from the start and end of a password is fine but you absolutely should not remove whitespace from the middle of a password.

permalink
report
parent
reply
90 points

How about making it illegal to block copying and pasting on website forms. I’m literally more likely to make a mistake by typing a routing number than copying and pasting it. The penalty for should be death by firing into the sun to anyone caught implementing any such stupidity.

permalink
report
reply
73 points

Frankly I’m mostly annoyed that my browser allows web sites to block cut and paste, ever. I am capable of making my own decisions over whether I want to cut and paste.

There are plugins that will disallow this. I think the one I use is “don’t fuck with paste”

permalink
report
parent
reply
15 points

Ooh, ooh. And for implementing any Javascript or jQuery or whatever that pops up some kind of smarmy message when you right click: Believe it or not, straight to jail.

Plus, that kind of thing is not going to prevent anyone from scraping images from anywhere if they have the capability to lift a finger to press F12.

permalink
report
parent
reply
4 points
*

Exactly.

My host decided to update their TOS to force me to accept binding arbitration, so I Inspect Elemented that right off the page and sent a message to support to end my service effective immediately (had been a paying customer for years). You’re not going to bully me on my own browser…

permalink
report
parent
reply
1 point

Some do detect open developer tools and nuke the whole page, though.

permalink
report
parent
reply
1 point

It won’t block it yes but it will diminish the amount of people doing it which is the point

permalink
report
parent
reply
13 points

Browsers shouldn’t allow half of the stuff that they allow. You have to do the same thing not just with copy and paste, but also searching on the page with ctrl + f. Like I don’t care that websites won’t to create their own experience. Don’t mess with browser behavior.

permalink
report
parent
reply
-4 points

You really want to memorise different shortcuts for search? What if you’re on a web app like discord? Ctrl+f isn’t gonna be as useful as a built in search solution that has access to data that isn’t visible until searched for. I get the issues on disabling the features but if they’re replacing browser behaviour with something that suits the site better I think that’s alright as long as it’s not s downgrade.

permalink
report
parent
reply
9 points

Never thought to look for an extension for that. Thanks for mentioning it.

permalink
report
parent
reply
3 points

You can also just run it when you need it rather than having to add an extension. Just add a bookmarklet with the code here and just click it when you encounter a problematic website.

It’ll reduce your attack surface while still getting the job done.

https://github.com/jswanner/DontF-WithPaste?tab=readme-ov-file#bookmarklet

permalink
report
parent
reply
16 points

I circumvent that by right-clicking, then choosing “Inspect element”, then switching to the tab “Console”, then typing $0.value = “TheValueIWantToPaste”. If right-clicking is also disabled, I use either F12 or Tools menu > DevTools.

permalink
report
parent
reply
16 points

that’s so easy! /s

permalink
report
parent
reply
4 points

easier than typing out a long string

permalink
report
parent
reply
1 point

That sounds fun on mobile

permalink
report
parent
reply
1 point

Or just delete the “readonly” bit. I did that on Treasury Direct for years until they finally removed that nonsense.

permalink
report
parent
reply
1 point

Sometimes it’s not “readonly”, but a Javascript thing that “event.preventDefault()” and “return false” during the “onpaste” event. As the event is generally set using elm.addEventListener instead of setting elm.onpaste, it’s not possible to remove the listener, as it’d need the reference for the handler function that was set to handle the mentioned JS event. So simply setting the value directly using elm.value bypasses the onpaste event.

permalink
report
parent
reply
15 points

It takes way less Delta V to push them into solar escape velocity.

permalink
report
parent
reply
12 points

Anger is no excuse to be inefficient with propellant after all

permalink
report
parent
reply
1 point

Idk, it might delay the sun imploding a smidge. Or maybe it would accelerate it. Eh, they know what they’re doing…

permalink
report
parent
reply
7 points

Think of the environment!

Less Delta-V to eject them from the solar system.

permalink
report
parent
reply
3 points

Don’t forget you save lots of fuel by firing out of the solar system instead

permalink
report
parent
reply
85 points
*

the document is nearly impossible to read all the way through and just as hard to understand fully

It is a boring document but it not impossible to read through, nor understand. The is what compliances officer do. I have a (useless) cybersecurity degree and reading NIST publications is part of my lecture.

permalink
report
reply
28 points

My career as a sysadmin consistently has me veering toward security and compliance and my brain is absolutely fried on trying to figure out what these huge docs actually mean, how they apply to the things I’m responsible for and what we’re supposed to do about it.

Props to all the folks that can do it without losing their mind.

permalink
report
parent
reply
10 points
*

You need to first understand the grand structure of the doc, then cherry pick the content to action points. At least that’s how I do it.

permalink
report
parent
reply
6 points

You break it down into chunks and delegate. They’re not expecting any one person to implement the whole thing.

permalink
report
parent
reply
1 point

They’re not expecting any one person to implement the whole thing.

Hahaha, tell that to leadership! 😩

permalink
report
parent
reply
6 points

Useless??? Ever since the pandemic and the need for a robust remote work infrastructure, the amount of cybersecurity related job offers has exploded. And they’re very well paid where I live.

permalink
report
parent
reply
4 points
*

The knowledge and skill are useful, but I can’t say the same for the degree

permalink
report
parent
reply
1 point

It sets both the technical requirements and recommended best practices for determining the validity of methods used to authenticate digital identities online. Organizations that interact with the federal government online are required to be in compliance

My argument is that if this document (and others) are requirements for companies shouldn’t there also be a more approachable document for people to use?

Sure, have the jargon filled document that those in the know can access, but without an additional not so jargon-y document you’ve just added a barrier to change. Maybe just an abstract of the rule changes on the front page without the jargon?

I don’t know, maybe it’s not a big deal to compliance officers but just seems to me (someone that isn’t a compliance officer) that obfuscating the required changes behind jargon and acronyms is going to slow adoption of the changes.

permalink
report
parent
reply
4 points

It needs to be specific to be clear for its purposes. You can express everything in simpler terms but then you risk leaving things out of definitions. It’s basically legal speak.

Normally, you’d read the scope of such a document to see whether it fits your purpose, then cherry-pick the chapters necessary. If something’s unclear, you can google pretty much everything.

Doing that a few times will make it infinitely easier! You especially get to understand those broad, inaccessible definitions a lot easier.

permalink
report
parent
reply
41 points

Don’t bug users to change passwords periodically. Only do it if there’s evidence of compromise.

About damn time. I log into my company laptop with a smart card and PIN or a PIN/authenticator code, computer autoconnects to the VPN, and I’m good to go. If there’s no internet available, the smart card will still get me into my computer. If I’m on my personal computer, I log in with the PIN/authenticator. This morning I tried really hard to find someplace where I had the option of entering a password and there is none, yet I have to change my password every 6 months. At least my IT department lets me use KeePass.

permalink
report
reply
5 points
*

I’ll log into my home desktop and I’ll get a message telling me that “it’s time to reset your password!”

First of all, how dare you, on my computer? In my home?

Secondly, I don’t even have a password on this thing

permalink
report
parent
reply
2 points
*

Eh, I think they should nag users to change their password proportional to how “strong” their password is. If you’re barely meeting the minimum: reset every few months. If you’re using a proper passphrase dozens of characters long: only reset if there’s evidence of compromise.

permalink
report
parent
reply
40 points

One thing they should change is the word “password.” This implies that it’s a short string. Changing it to “passphrase” will help people feel comfortable choosing credentials like “correct horse battery staple.”

permalink
report
reply
5 points

I recently set up a password with a 16 character max, alphanumeric only, no spaces. The service is in no way a security threat but still.

permalink
report
parent
reply
6 points
*

A couple years ago I ran into one with a 12 character limit…

I never understood password limits, other than something sufficiently large like 256 to prevent DOS. It’s not like the password is actually being stored anywhere… right? RIGHT??

permalink
report
parent
reply

Technology

!technology@lemmy.world

Create post

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


Community stats

  • 18K

    Monthly active users

  • 12K

    Posts

  • 553K

    Comments