EmailDiscussions.com

EmailDiscussions.com (http://www.emaildiscussions.com/index.php)
-   The Off-Topic Lounge (http://www.emaildiscussions.com/forumdisplay.php?f=23)
-   -   you shouldn’t be forced to use special characters in your passwords (http://www.emaildiscussions.com/showthread.php?t=72792)

janusz 25 Jun 2017 09:28 PM
you shouldn’t be forced to use special characters in your passwords
 
From the Quartz Media magazine:

Quote:
The standards organization of the United States, NIST, has concluded that many common requirements for passwords, like forcing you to use special characters, are misguided.

Instead, NIST recommends the use of lengthy passwords, and instructs administrators to allow passwords to run at least 64 characters long. It also says people should only be forced to change their passwords if there is evidence of tampering, rather than at an arbitrary interval.

[T]he guidelines say that administrators should take actions that make accounts more secure than special characters ever could—for instance, preventing the use of common passwords and those that have been previously exposed in breaches, and creating a waiting period between incorrect login attempts.
Link to the NIST guidelines (only four volumes, enjoy....)

AnyBella 11 Jul 2017 05:51 PM
That makes a lot of sense. Delay on wrong passwords can thwart brute force much better than anything else.

TenFour 12 Jul 2017 05:57 AM
Ha! Get any IT security person to listen to commonsense, or for that matter read and take to heart the latest security thinking? Nonsense! In my experience dealing with IT security at organizations big and small they are routinely ruled by petty bureaucrats who get their kicks by making employees lives miserable while they chuckle in the back room watching everyone jump through endless pointless hoops that actually degrade security--keeps them in work.

AnyBella 15 Jul 2017 04:48 AM
As an aside, a very distant relative of mine once locked herself out from a school intranet, for the abhorrent system allowed other languages when changing password, but not on actual sign in.

A horror story.

somdcomputerguy 15 Jul 2017 09:12 AM
Quote:
Originally Posted by AnyBella (Post 603085)
..the abhorrent system allowed other languages when changing password, but not on actual sign in.
I've come across a few systems/services like that, and I no longer use them. One of those services was a bank, and even though I decided then and there to put my money elsewhere, I went thru a month or so email/phone call flurry with their IT department and the web site design company.

- Bruce

evilquoll 15 Jul 2017 10:34 AM
My pet hate is web sites (usually e-commerce sites) which use a "don't allow paste" command on their password input field (or other fields, for that matter). To my mind, this is detrimental to legitimate users (who are thereby being forced to use a password which is weak enough to be feasible to remember, and to type manually, instead of being copy-and-pasted from a password repository, as I prefer) while doing absolutely nothing for site security. (If i were trying to crack a site, using a buffer-overflow attack or the like, I wouldn't be dumb enough to allow my custom client to honour "no paste" requests.:rolleyes:)

Fortunately, this dubious behaviour can be overridden by using Firefox with the appropriate plugin; but it's a dumb idea nonetheless.

TenFour 15 Jul 2017 08:39 PM
Quote:
people should only be forced to change their passwords if there is evidence of tampering, rather than at an arbitrary interval.
^^This^^ I find this one most annoying at work. When you have 20-50 different passwords that you use regularly and you have to constantly be updating them you are guaranteed to hit hassles, especially when working on a large network with other validation things working in the background that can block you. More than once I have had to contact IT during the middle of the night in order to get back up and running due to a forced password change.

janusz 15 Jul 2017 08:47 PM
Quote:
Originally Posted by AnyBella (Post 603085)
for the abhorrent system allowed other languages when changing password, but not on actual sign in.
I'm sure you meant non-ASCII characters in passwords, not "other languages".


All times are GMT +9. The time now is 05:18 PM.


Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy