EmailDiscussions.com  

Go Back   EmailDiscussions.com > Miscellaneous > The Off-Topic Lounge
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

The Off-Topic Lounge APPROPRIATE FAMILY-FRIENDLY TOPICS ONLY - READ THE RULES!
This forum is for posting anything (excluding topics prohibited by the forum rules) that's unrelated to email. General discussions, in other words.

Reply
 
Thread Tools
Old 25 Jun 2017, 10:28 PM   #1
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,933
you shouldn’t be forced to use special characters in your passwords

From the Quartz Media magazine:

Quote:
The standards organization of the United States, NIST, has concluded that many common requirements for passwords, like forcing you to use special characters, are misguided.

Instead, NIST recommends the use of lengthy passwords, and instructs administrators to allow passwords to run at least 64 characters long. It also says people should only be forced to change their passwords if there is evidence of tampering, rather than at an arbitrary interval.

[T]he guidelines say that administrators should take actions that make accounts more secure than special characters ever could—for instance, preventing the use of common passwords and those that have been previously exposed in breaches, and creating a waiting period between incorrect login attempts.
Link to the NIST guidelines (only four volumes, enjoy....)
janusz is offline   Reply With Quote

Old 11 Jul 2017, 06:51 PM   #2
AnyBella
Junior Member
 
Join Date: Jul 2017
Location: AnyBellaCoolHusky
Posts: 12
That makes a lot of sense. Delay on wrong passwords can thwart brute force much better than anything else.
AnyBella is offline   Reply With Quote
Old 12 Jul 2017, 06:57 AM   #3
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,679
Ha! Get any IT security person to listen to commonsense, or for that matter read and take to heart the latest security thinking? Nonsense! In my experience dealing with IT security at organizations big and small they are routinely ruled by petty bureaucrats who get their kicks by making employees lives miserable while they chuckle in the back room watching everyone jump through endless pointless hoops that actually degrade security--keeps them in work.
TenFour is offline   Reply With Quote
Old 15 Jul 2017, 05:48 AM   #4
AnyBella
Junior Member
 
Join Date: Jul 2017
Location: AnyBellaCoolHusky
Posts: 12
As an aside, a very distant relative of mine once locked herself out from a school intranet, for the abhorrent system allowed other languages when changing password, but not on actual sign in.

A horror story.
AnyBella is offline   Reply With Quote
Old 15 Jul 2017, 10:12 AM   #5
somdcomputerguy
Cornerstone of the Community
 
Join Date: Jun 2004
Location: Rupert, WV
Posts: 876
Quote:
Originally Posted by AnyBella View Post
..the abhorrent system allowed other languages when changing password, but not on actual sign in.
I've come across a few systems/services like that, and I no longer use them. One of those services was a bank, and even though I decided then and there to put my money elsewhere, I went thru a month or so email/phone call flurry with their IT department and the web site design company.

- Bruce
somdcomputerguy is offline   Reply With Quote
Old 15 Jul 2017, 11:34 AM   #6
evilquoll
Member
 
Join Date: May 2017
Location: Emergency temporary account of ROBERT.BAK
Posts: 36
My pet hate is web sites (usually e-commerce sites) which use a "don't allow paste" command on their password input field (or other fields, for that matter). To my mind, this is detrimental to legitimate users (who are thereby being forced to use a password which is weak enough to be feasible to remember, and to type manually, instead of being copy-and-pasted from a password repository, as I prefer) while doing absolutely nothing for site security. (If i were trying to crack a site, using a buffer-overflow attack or the like, I wouldn't be dumb enough to allow my custom client to honour "no paste" requests.)

Fortunately, this dubious behaviour can be overridden by using Firefox with the appropriate plugin; but it's a dumb idea nonetheless.
evilquoll is offline   Reply With Quote
Old 15 Jul 2017, 09:39 PM   #7
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,679
Quote:
people should only be forced to change their passwords if there is evidence of tampering, rather than at an arbitrary interval.
^^This^^ I find this one most annoying at work. When you have 20-50 different passwords that you use regularly and you have to constantly be updating them you are guaranteed to hit hassles, especially when working on a large network with other validation things working in the background that can block you. More than once I have had to contact IT during the middle of the night in order to get back up and running due to a forced password change.
TenFour is offline   Reply With Quote
Old 15 Jul 2017, 09:47 PM   #8
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,933
Quote:
Originally Posted by AnyBella View Post
for the abhorrent system allowed other languages when changing password, but not on actual sign in.
I'm sure you meant non-ASCII characters in passwords, not "other languages".
janusz is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 09:03 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy