Monthly Archives: May 2017

Password security officially becomes easier

The NIST* has modernized the password rules for US Government Department, specifically the “minimum requirements for federal information systems”. This is supposedly where every IT department gets their rules from, so maybe these better rules will be used, “soonish”, in bank machines and corporate workplaces.
– (Yeah, I said “soonish”. In this case, “soonish=”probably years from now”.)

What the NIST said:

I will summarize and link to the parts of the draft Guidelines that make passwords easier.

“Draft NIST Special Publication, 800-63B – Digital Identity Guidelines”:

  • Section 5, Authenticator and Verifier Requirements
    • Section 5.1.1.1 – Don’t make the password artificially hard to remember by requiring “complexity rules”: UPPER, lower, numeric, special characters. (Rationale in Appendix A)
  • Appendix A, Strength of Memorized Secrets
    • Why complex passwords are bad: “analyses of breached password databases reveals that the benefit of such [complexity] rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe.”
    • Services should disallow passwords found in a list of commonly used passwords, such as “Password1!”, and “123456”.

For a longer explanation, see Slava Gomzin’s article on Venture Beat.

*  NIST = National Institute of Standards and Technology – part of the U. S. Dept. of Commerce)

Advertisements

CAPTCHA defined

Well! I thought it was a company name, so I never looked it up. As Ian says, “That’s my story, and, I’m gonna stick to it.”

Turns out CAPTCHA means:

  • Completely Automated Public Turing test to tell Computers and Humans Apart

Source: nist.gov On that page, look under Definitions and Abbreviations.