Hacker News new | ask | show | jobs
by tetrep 669 days ago
> Just think of all the nonsense you have to deal with in the name of "security."

Well, the good news is that everything you listed is known as a bad idea to both end users and people who understand security (which is, sadly, not most people who implement security policies).

Using 4 or more dictionary words provides excellent password security and you can do the same for all of your security answers too. There's a variety of free and paid for password managers that solve the issue of trying to remember all your secrets (great for backing up 2FA secrets too).

I'm not sure what you mean by "complicated error messages" but I assume it's errors that they expect the user to fix themselves, otherwise they could return a generic nonspecific error and a unique ID for you to provide when you contact support to get help. While it sucks to get jargon spammed, I feel like pretty standard human ineptitude at explaining an error rather than anything specific to security. I also think it's how many people feel about any error message that contains computer jargon (PC LOAD LETTER!?!?).

> I often wonder how they get away with it all.

My thinking (and experience...) is that most organizations are failing at a lot of things at any given time, even if the business overall is successful. Security is just one of those things. I wouldn't be surprised at a small elite organization not following that trend, but any sufficiently large organization is going to have incompetent people doing incompetent things.
2 comments
tdiff 669 days ago
Is there actually some "professional consensus" on password reset policies (in form of report or journal article or something similar)? If someone could share, I'd love to refer to it in my org to stop resetting passwords every n months.
link
pdw 669 days ago
There are the NIST guidelines on "memorized secrets" (passwords): https://pages.nist.gov/800-63-3/sp800-63b.html#5-authenticat...

> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).

It has much to say on all kinds of other password nonsense:

> Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length. All printing ASCII [RFC 20] characters as well as the space character SHOULD be acceptable in memorized secrets. Unicode [ISO/ISC 10646] characters SHOULD be accepted as well.

> Truncation of the secret SHALL NOT be performed.

> Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret.

> In order to assist the claimant in successfully entering a memorized secret, the verifier SHOULD offer an option to display the secret — rather than a series of dots or asterisks — until it is entered.

link
tdiff 668 days ago
Thanks!
link
chgs 669 days ago
Password resets should only be performed if it is suspected a password has been compromised.

Complex passwords also should not be required

NIST Special Publication 800-63B – Digital Identity Guidelines.

https://www.netsec.news/summary-of-the-nist-password-recomme...

link
tdiff 668 days ago
Thanks!
link
Dylan16807 669 days ago
> Using 4 or more dictionary words provides excellent password security

I would not call 44-48 bits "excellent". It works if there's a good password hash being used, but if someone left PBKDF on basic settings then a GPU might be able to do 50 million guesses per second, or for a plain old salted hash 50 billion guesses per second.

link
norgie 669 days ago
How does that math work?
link
Dylan16807 669 days ago
The bits, I'm assuming a list of about 2k-4k words. The XKCD example is 2k, so 11 bits per word.

The guesses per second, I looked up some hashcat benchmarks to get a rough range.

link