Surprising Password Guidelines from NIST

guest · Jul 15, 2019

Surprising Password Guidelines from NIST
NIST Cyber Security Framework
July 15, 2019
https://www.bankinfosecurity.com/blogs/surprising-password-guidelines-from-nist-p-2764

NIST finalized new guidelines, substantially revising password security recommendations and upending many of the standards and best practices which security professionals use when forming policies for their companies.
NIST guidelines often become the foundation for best practice recommendations across the security industry and are incorporated into other standards.

NIST 800-63-3: Digital Identity Guidelines has made some long overdue changes when it comes to recommendations for user password management.
The new framework recommends, among other things:
• Drop the algorithmic complexity song and dance

No more arbitrary password complexity requirements needing mixtures of upper case letters, symbols and numbers. Like frequent password changes, it's been shown repeatedly that these types of restrictions often result in worse passwords. [...]
Click to expand...

pandorax · Jul 15, 2019

The Guardian and The New York Times reported that NIST allowed the National Security Agency (NSA) to insert a cryptographically secure pseudorandom number generator called Dual EC DRBG into NIST standard SP 800-90 that had a kleptographic backdoor that the NSA can use to covertly predict the future outputs of this pseudorandom number generator thereby allowing the surreptitious decryption of data.[24] Both papers report[25][26] that the NSA worked covertly to get its own version of SP 800-90 approved for worldwide use in 2006. The whistle-blowing document states that "eventually, NSA became the sole editor". The reports confirm suspicions and technical grounds publicly raised by cryptographers in 2007 that the EC-DRBG could contain a kleptographic backdoor (perhaps placed in the standard by NSA).[27]
Click to expand...

https://en.wikipedia.org/wiki/Natio...Controversy_regarding_NIST_standard_SP_800-90

CloneRanger · Jul 16, 2019

No surprise we can't trust NIST or NSA !

Who would LOL

zapjb · Jul 16, 2019

People who use mytwitface.

plat · Jul 16, 2019

zapjb said: ↑

mytwitface.
Click to expand...

Ha ha! Well this article is sort of reassuring in the sense I've been using less complex passwords combined with two-factor authentication for certain sites for a while now. Other than that, whatever. Works for me until it doesn't.

Log in or Sign up

Surprising Password Guidelines from NIST

guest Guest

pandorax Registered Member

CloneRanger Registered Member

zapjb Registered Member

plat Registered Member

Log in or Sign up

Surprising Password Guidelines from NIST

guest Guest

pandorax Registered Member

CloneRanger Registered Member

zapjb Registered Member

plat Registered Member

Useful Searches