Thread Contributor: Dozy VanNew password guidelines say everything we thought about passwords is wrong
#1
Quote:Here is a quick look at the three main changes the NIST has proposed:


No more periodic password changes. This is a huge change of policy as it removes a significant burden from both users and IT departments. It’s been clear for a long time that periodic changes do not improve password security but only make it worse, and now NIST research has finally provided the proof.
No more imposed password complexity (like requiring a combination of letters, numbers, and special characters). This means users now can be less “creative” and avoid passwords like “Password1$”, which only provide a false sense of security.
Mandatory validation of newly created passwords against a list of commonly-used, expected, or compromised passwords. Users will be prevented from setting passwords like “password”, “12345678”, etc. which hackers can easily guess.

Link: https://venturebeat.com/2017/04/18/new-p...-is-wrong/



What we should have been doing for years now.
#2
Ding, ding, ding.

I'm perhaps most anticipating seeing the third item catch on - this has been a needed standard for a long time. I'd love to see widespread adoption of this principle.
Reply
#3
Thank god. Finally they'll make this a standard. This will greatly improve the security for a lot of people that use weak passwords all the time. Though still, I wouldn't recommend anyone to use the same password for everything.
Reply
#4
(05-04-2017, 06:57 AM)Bish0pQ Wrote: Thank god. Finally they'll make this a standard. This will greatly improve the security for a lot of people that use weak passwords all the time. Though still, I wouldn't recommend anyone to use the same password for everything.

yeah stuff like Keepass or even lastpass is a game changer. I have a unique password for everything now :D
Reply
#5
The problem is shit webadmins that don't store passwords and personal information multi encrypted with salts to their db. I still see sites send me my raw password, when I send a recover request. I like 2 step auth and all but, imagine having to fucking grab you phone, then quickly enter the new 2nd step code before it expires(assuming most site will adopt the 10 second rule) will be annoying af. It's inconvenient to someone like me who rarely uses his phone in the first place. IDK maybe I just hate change tho, it's probably for the best.

EDIT:

As for "Guessing the Password", that shit doesn't normally work.
As for using a ComboList to bruteforce online sites, that shit normally doesn't work(password attempts exceed maximum).


TLDR:
  Shitty webadmins make our lives harder.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)