On Sun, Jan 21, 2024 at 6:31 AM Tim via users <users@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > On Sun, 2024-01-21 at 02:56 -0800, ToddAndMargo via users wrote: > > This all goes back to using easy passwords. And the > > same passwords on different sites: > > > > https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/multi-factor-authentication > > > > "In fact, databases of known breached account information > > reveal the actual passwords in use around the world, and > > we can see that people typically fail to choose sufficiently > > long, complex, and unique passcodes. A study of the most > > common passwords used globally has “123456”, “qwerty” > > (six consecutive keys on a keyboard) and “password” among > > the top 5." > > Password construction rules were always a crock of crap. Must have one > capital, symbol, number, etc just gave a series of clues to crackers. > While making it harder for you to come up with a code you can remember > and type (and just watch dyslexic people try to get these things right, > illiterate people who can't spell, or anybody on a mobile phone touch > screen). Then have to go through it again and again on forced periodic > changes. Password complexity requirements are still a load of crap. No one knows where the crap came from. Searching for the history of complexity requirements seems to point to Microsoft NT 3.5. And we know complex passwords result in weaker passwords from Security Usability studies. Another load of crap is password rotation policies. You never throw away a good secret unless there's evidence of misuse or breach. And forcing users to gratuitously change their password results in users choosing weaker and weaker passwords over time as they are constantly grinded on to change good passwords. We know this from Security Usability studies. Anyone designing an authentication system would be well served to read Peter Gutmann's Engineering Security, <https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf>. Chapter 7 covers Passwords. Jeff -- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue