The NIST Finally Formally Chooses SAM Security Model for Passwords

scottalanmiller

Not to say I told you so but... had people listened to me years ago we could have saved a lot of tax payer dollars here Recently the US NIST has formalized their recommendations for practical password security and, no surprise, it mirrors when I've been recommending and saying was IT security standard practice for years - long non-complex passphrases that are easy for humans to remember but hard for computers to brute force that only change very infrequently to give humans more chance of remembering them and avoiding anything that causes humans to work around security systems. Yup, simple, common sense security that pragmatically matches how humans actually function and takes into account how computers actually need to attack passphrases.

The important takeaway from the NIST decisions is... simple user education and good IT policies are the best approach. Don't try to shove changes down your users' throats, don't try to be the authority, help them choose good passphrases and don't make them work around you.

https://imgs.xkcd.com/comics/password_strength.png

scottalanmiller

Buried in here, I'm told, lol, for those that want to dig it out: https://pages.nist.gov/800-63-3/sp800-63b.html

stacksofplates

Dashrender

Could have sworn I posted about this weeks ago.

JaredBusch

@dashrender said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

Could have sworn I posted about this weeks ago.

You did, but you didn't claim that NIST followed your recommendation.

scottalanmiller

@jaredbusch said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

@dashrender said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

Could have sworn I posted about this weeks ago.

You did, but you didn't claim that NIST followed your recommendation.

I only said that they mirrored it, not followed it. Not quite the same.

gjacobse

just found this:

Man who came up with rules for creating passwords says he blew it

Dashrender

@gjacobse said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

just found this:

Man who came up with rules for creating passwords says he blew it

During the interview, Burr also admitted that he didn't know much about how passwords worked when he created the memo.

WTF are you doing making a memo then? Not that we probably really understood the potential issues at that point, but still.

DustinB3403

@dashrender said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

@gjacobse said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

just found this:

Man who came up with rules for creating passwords says he blew it

During the interview, Burr also admitted that he didn't know much about how passwords worked when he created the memo.

WTF are you doing making a memo then? Not that we probably really understood the potential issues at that point, but still.

Because he was fucking paid to write the memo. Do what you're told or find a new job.

Obviously.

Dashrender

@dustinb3403 said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

@dashrender said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

@gjacobse said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

just found this:

Man who came up with rules for creating passwords says he blew it

During the interview, Burr also admitted that he didn't know much about how passwords worked when he created the memo.

WTF are you doing making a memo then? Not that we probably really understood the potential issues at that point, but still.

Because he was fucking paid to write the memo. Do what you're told or find a new job.

Obviously.

Yeah - more govment meaningless crap!

scottalanmiller

@dashrender said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

@gjacobse said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

just found this:

Man who came up with rules for creating passwords says he blew it

During the interview, Burr also admitted that he didn't know much about how passwords worked when he created the memo.

WTF are you doing making a memo then? Not that we probably really understood the potential issues at that point, but still.

We all knew whoever did it didn't know the first thing about passwords. But why the NIST let him make it... that's the real question.

DustinB3403

@scottalanmiller is that really the question.

More importantly why does it fucking matter. It was written so long ago and there has been plenty of time and evidence that what was written down was complete bullshit.

Dashrender

@scottalanmiller said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

@dashrender said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

@gjacobse said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

just found this:

Man who came up with rules for creating passwords says he blew it

During the interview, Burr also admitted that he didn't know much about how passwords worked when he created the memo.

WTF are you doing making a memo then? Not that we probably really understood the potential issues at that point, but still.

We all knew whoever did it didn't know the first thing about passwords. But why the NIST let him make it... that's the real question.

this was my real question...

scottalanmiller

@dustinb3403 said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

@scottalanmiller is that really the question.

More importantly why does it fucking matter. It was written so long ago and there has been plenty of time and evidence that what was written down was complete bullshit.

Except they new it was BS in 2003, too.