Okay. Cyber security from someone who is absolutely not an expert in cyber security:
- Use passphrases, not passwords.
- Complexity requirements should be used in moderation
- Forced expiration should not exist
- Password length maximums should be at least 64 characters
- Use passphrases, not passwords.
- Complexity requirements should be used in moderation
- Forced expiration should not exist
- Password length maximums should be at least 64 characters
https://twitter.com/EvilJackCarver/status/1417158985233412100
First up, passphrases. Passphrases tend to be longer than regular passwords, but easier to remember. Because they're longer, computers have to take longer to crack 'em if you brute-force it. 
(forgot to attribute: image credit: Randall Munroe - xkcd.com/936)
Because they're easier to remember, you run less of a risk of people writing them down.
Because they're easier to remember, you run less of a risk of people writing them down.
Just like in locksport, if the lock is the easiest thing to get in via, then they'll get in by the lock; but if you know there's a key under the rug (password written down on the monitor), is there any point to picking the lock in the first place?
Second: Complexity requirements. They're good because they prevent basic dictionary attacks, but bad because if overused, they make passwords impossible to remember.
The only complexity requirement I exempt from that is minimum length requirements (see: passphrases)
The only complexity requirement I exempt from that is minimum length requirements (see: passphrases)
If you require a symbol (e.g. ! @ # $ %), people are just going to tack exclamation points on the end until the requirement is satisfied.
The only complexity requirement that I feel is really necessary (remember: not an infosec expert!) is one capital letter, one lowercase letter, one number, and a reasonable minimum length.
Excluding the length, the password "24hoursSpa" is reasonably secure and easy to remember.
The password "24h0urs$p@" is not as easy to remember, and roughly just as secure.
(Note: I wouldn't use either of these, they're too short and too indicative of my interests)
The password "24h0urs$p@" is not as easy to remember, and roughly just as secure.
(Note: I wouldn't use either of these, they're too short and too indicative of my interests)
So, going back to passphrases, let's say you really like Rick Astley.
"r!ck@$tley87" is nowhere near as secure as, say, "ijustwannaTellyouhowimfeeling87", if only purely due to length.
Which do you think is easier to remember?
"r!ck@$tley87" is nowhere near as secure as, say, "ijustwannaTellyouhowimfeeling87", if only purely due to length.
Which do you think is easier to remember?
Moving on to forced expiration: There is exactly one time it should be used, and that's if you reasonably suspect someone's account has been compromised. That's it.
Expiring passwords after a length of time only causes headaches when you have to remember 'oh, I had to change it, it's X now'.
You don't want people to have to write their current passwords down (and defeat the purpose of having the door locked). Don't use password expiry.
You don't want people to have to write their current passwords down (and defeat the purpose of having the door locked). Don't use password expiry.
And lastly, password length maximums.
Make sure it's of a length that your users can fit a decent passphrase into (looking at you, @Equifax, and your 16-character limit!)
Limiting password length logarithmically reduces the number of combinations necessary to brute-force it.
Make sure it's of a length that your users can fit a decent passphrase into (looking at you, @Equifax, and your 16-character limit!)
Limiting password length logarithmically reduces the number of combinations necessary to brute-force it.
Oh, one thing I thought of while driving to work:
If you have to change your password and you're told that your new password is too similar to your old one (unless it's an exact match), it's highly likely that your password is being stored in plaintext.
If you have to change your password and you're told that your new password is too similar to your old one (unless it's an exact match), it's highly likely that your password is being stored in plaintext.
If your password is properly salted and hashed, there should be no way they can tell if your password is similar - just whether it's an exact match or not.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
