On 1/21/24 06:22, Jeffrey Walton wrote:
On Sun, Jan 21, 2024 at 6:31 AM Tim via users
<users@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On Sun, 2024-01-21 at 02:56 -0800, ToddAndMargo via users wrote:
This all goes back to using easy passwords. And the
same passwords on different sites:
https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/multi-factor-authentication
"In fact, databases of known breached account information
reveal the actual passwords in use around the world, and
we can see that people typically fail to choose sufficiently
long, complex, and unique passcodes. A study of the most
common passwords used globally has “123456”, “qwerty”
(six consecutive keys on a keyboard) and “password” among
the top 5."
Password construction rules were always a crock of crap. Must have one
capital, symbol, number, etc just gave a series of clues to crackers.
While making it harder for you to come up with a code you can remember
and type (and just watch dyslexic people try to get these things right,
illiterate people who can't spell, or anybody on a mobile phone touch
screen). Then have to go through it again and again on forced periodic
changes.
Password complexity requirements are still a load of crap. No one
knows where the crap came from. Searching for the history of
complexity requirements seems to point to Microsoft NT 3.5. And we
know complex passwords result in weaker passwords from Security
Usability studies.
I thought so.
Another load of crap is password rotation policies. You never throw
away a good secret unless there's evidence of misuse or breach. And
forcing users to gratuitously change their password results in users
choosing weaker and weaker passwords over time as they are constantly
grinded on to change good passwords. We know this from Security
Usability studies.
I can personally attest to this from my travels as
a computer consultant
Anyone designing an authentication system would be well served to read
Peter Gutmann's Engineering Security,
<https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf>. Chapter 7
covers Passwords.
Jeff
I needed a password eight characters long
I picked "Snow White and the Seven Dwarfs".
Okay, that was a "Dad Joke" but it probably is a really
strong password and easy to remember. I recommend run on
phrases to my customers. When I make them up for them,
I often use a phrase that flatters their business.
Those they never forget.
--
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue