The National Institute of Standards and Technology of the United States (NIST) is developing new guidelines for policies that should be followed by passwords to be used by the US government and the public sector in general.
Όποιος ενδιαφέρεται οι νέες προδιαγραφές της Ειδικής Έκδοσης 800-63-3: Ψηφιακές κατευθυντήριες γραμμές ελέγχου ταυτότητας (Special Publication 800-63-3: Digital authentication Guidelines) μπορεί να βρεθούν στην NIST's website.
But let's look at what are the main differences between today's polar and NIST?
Some of NIST's new recommendations may be guessing and others may surprise you.
Let's start:
New policies favor the user. In other words, the different websites should stop asking users to do things that do not actually improve security.
Many of the so-called "best practices" prove to be of little help and not worth the headache they cause.
The size counts for passwords. The new NIST guidelines indicate that you must have at least 8 characters. This should not be the maximum, so you can increase the length of your password to more sensitive accounts.
NIST says a maximum length of at least 64 characters should be allowed, so there should no longer be "Sorry, your password could not be longer than 16 characters."
All printable ASCII characters, including spaces, all UNICODE characters, and Emoji!
Check the new codes whether they are contained in known cracking dictionaries. So no one will be able to use codes such as: ChangeMe, thisisapassword, 12345678, and so on.
Things you should not do.
There are no code synthesis rules. This means that you should not remember more rules that force the use of specific characters or combinations, such as spasmodic terms on some password-resetting pages that require:
"Your password must contain a lowercase letter, a uppercase letter, a number, four symbols but not &% # @ _, and 5kg of skewers."
The new rules will allow users to freely choose, and encourage them to use large phrases that they can remember instead of fraudulent complexity codes like pA55w + rd.
End the code hints. No questions that will make you remember your password if you forget it. 2013 with password-escaping from Adobe users has seen crazy things. Somebody with password password had asword password reminder the assword!
Οι ερωτήσεις για το Knowledge-based authentication (KBA) they cease to exist. It's when a site asks you to choose from a list of questions like Where did you go to high school? What is your favorite football team? team; and you should write the answer. You will use it in case you need to confirm your identity.
End of password expiration: Ο αγαπημένος μου νέος κανονισμός! Αν ο χρήστης uses έναν πολύ δύσκολο και μακρύ κωδικό πρόσβασης 50 χαρακτήρων γιατί να τον αλλάζει κάθε μήνα;
Passwords should only be changed when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could potentially be subjected to an offline brute-force attack.
NIST also gives some very valuable tips.
All passwords must be hashed, salted and stretched with salt of 32 bits or more, HMAC hash using SHA-1, SHA-2 or SHA-3, and a stretching PBKDF2 with at least 10,000 reps.
Επιπλέον, άλλη μια μεγάλη αλλαγή είναι ότι τα SMS δεν θα πρέπει να χρησιμοποιούνται πλέον για ελέγχους ταυτότητας δύο παραγόντων, καθώς υπάρχουν πολλά προβλήματα με την ασφάλεια παράδοσης των SMS, malware που μπορούν να ανακατευθύνουν τα messages κειμένου και επιθέσεις εναντίον του δικτύου κινητής τηλεφωνίας (όπως το λεγόμενο SS7 hack), αλλά και μια απλή φορητότητα αριθμού.
Do we also mention SIM swaps? It is very easy to get a new SIM from your mobile operator and cancel the one you use because it is supposed to be lost, destroyed or stolen.
Σε πολλές χώρες, δυστυχώς, είναι πολύ εύκολο για τους εγκληματίες να πείσουν ένα store κινητής τηλεφωνίας να μεταφέρει τον αριθμό τηλεφώνου κάποιου σε μια νέα κάρτα SIM.
Η movement of NIST was to be expected as password policies should constantly evolve as hacker techniques evolve.
