Personal computing discussed

Moderator: Dposcorp

 
alloyD
Silver subscriber
Gerbil First Class
Topic Author
Posts: 163
Joined: Thu Apr 14, 2005 4:44 pm
Location: Missouri

NIST password guidelines updated!

Tue Aug 15, 2017 1:00 pm

Finally! NIST has updated their password guidelines to get rid of some of the worst of their complexity requirements. They're now encouraging longer passphrases and discouraging symbol and case requirements. Hopefully we'll start to see organizations start to adopt these soon.
"The danger lies not in the machine itself but in the user's failure to envision the full consequences of the instructions he gives to it." --Neil Stephenson
 
druidcent
Minister of Gerbil Affairs
Posts: 2355
Joined: Wed Aug 07, 2002 7:55 pm
Location: Earth, Sol, Milky Way
Contact:

Re: NIST password guidelines updated!

Tue Aug 15, 2017 1:08 pm

I'm just sad they did not reference XKCD in the publication :(
 
Captain Ned
Gold subscriber
Global Moderator
Posts: 26199
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: NIST password guidelines updated!

Tue Aug 15, 2017 1:15 pm

NIST also deprecated, in May 2016, the use of raw push SMS one-time passwords.
If the Earth were flat, cats would have pushed everything off of it by now.
 
Captain Ned
Gold subscriber
Global Moderator
Posts: 26199
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: NIST password guidelines updated!

Tue Aug 15, 2017 1:17 pm

druidcent wrote:
I'm just sad they did not reference XKCD in the publication :(


Correct Horse Battery Staple
If the Earth were flat, cats would have pushed everything off of it by now.
 
chuckula
Gold subscriber
Gerbil Jedi
Posts: 1509
Joined: Wed Jan 23, 2008 9:18 pm
Location: Probably where I don't belong.

Re: NIST password guidelines updated!

Tue Aug 15, 2017 1:20 pm

Captain Ned wrote:
druidcent wrote:
I'm just sad they did not reference XKCD in the publication :(


Correct Horse Battery Staple


That's amazing! I've got the same password on my luggage!
4770K @ 4.7 GHz; 32GB DDR3-2133; GTX-1080; 512GB 840 Pro (2x); Fractal Define XL-R2; NZXT Kraken-X60
--Many thanks to the TR Forum for advice in getting it built.
 
Waco
Gold subscriber
Gerbil Jedi
Posts: 1944
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: NIST password guidelines updated!

Tue Aug 15, 2017 1:36 pm

chuckula wrote:
Captain Ned wrote:
druidcent wrote:
I'm just sad they did not reference XKCD in the publication :(


Correct Horse Battery Staple


That's amazing! I've got the same password on my luggage!

Great, now I need to watch Spaceballs again. :P
Z170A Gaming Pro Carbon | 6700K @ 4.5 | 16 GB | GTX Titan X | Seasonix Gold 850 | XSPC RX360 | Heatkiller R3 | D5 + RP-452X2 | Cosmos II | Samsung 4K 40" | 480 + 240 + LSI 9207-8i (128x8) SSDs
 
alloyD
Silver subscriber
Gerbil First Class
Topic Author
Posts: 163
Joined: Thu Apr 14, 2005 4:44 pm
Location: Missouri

Re: NIST password guidelines updated!

Tue Aug 15, 2017 1:42 pm

druidcent wrote:
I'm just sad they did not reference XKCD in the publication :(


You know the guy who wrote that appendix begged his boss.
"The danger lies not in the machine itself but in the user's failure to envision the full consequences of the instructions he gives to it." --Neil Stephenson
 
freebird
Gerbil
Posts: 35
Joined: Thu Aug 31, 2006 4:03 pm

Re: NIST password guidelines updated!

Tue Aug 15, 2017 2:06 pm

I read about that last week or so on the dailycaller.com
http://dailycaller.com/2017/08/08/turns ... ds-secure/

This article is interesting also…
https://sg.news.yahoo.com/computer-secu ... 13686.html

P@ssword#1 hasn’t been pwoned yet…

and then there is always this site too...
https://haveibeenpwned.com/
 
whm1974
Maximum Gerbil
Posts: 4796
Joined: Fri Dec 05, 2014 5:29 am

Re: NIST password guidelines updated!

Tue Aug 15, 2017 4:01 pm

So did they changed the recommending of changing your password every so often? I never did follow that, and most people just keep the same password and just add a number to the end of it. It is hard enough to come up with a good password that easy to remember but hard to guess.
 
ShadowEyez
Gerbil XP
Posts: 347
Joined: Wed Dec 03, 2003 12:31 pm

Re: NIST password guidelines updated!

Tue Aug 15, 2017 4:18 pm

http://pwgen-win.sourceforge.net/ and a good offline password "vault" on the user side.

Hashing, salts, high iterations, prefect forward secrecy, and rate limiting on the app/dev side.

They can try to straddle the balance between what the average human can "easily" remember, for each of their dozens of work and personal accounts, against what multiple dedicated and increasingly fast GPU's and optimized software can achieve, but at this point the random generation + vault strategy seems to be the most viable as far as passwords are concerned. Or have any of you gerbils figured out a better way?
The finest tools are forged from the hottest fires
 
NovusBogus
Silver subscriber
Graphmaster Gerbil
Posts: 1167
Joined: Sun Jan 06, 2013 12:37 am

Re: NIST password guidelines updated!

Tue Aug 15, 2017 10:06 pm

I guess that's a good thing.


...meanwhile, in the real world, black hats continue to bypass passwords altogether by calling customer service and asking nicely.
 
whm1974
Maximum Gerbil
Posts: 4796
Joined: Fri Dec 05, 2014 5:29 am

Re: NIST password guidelines updated!

Tue Aug 15, 2017 10:15 pm

NovusBogus wrote:
I guess that's a good thing.


...meanwhile, in the real world, black hats continue to bypass passwords altogether by calling customer service and asking nicely.

That still works? I would have thought that people would have wised up by now.
 
Captain Ned
Gold subscriber
Global Moderator
Posts: 26199
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: NIST password guidelines updated!

Tue Aug 15, 2017 10:20 pm

whm1974 wrote:
That still works? I would have thought that people would have wised up by now.

Social engineering will always work as long as humans are involved. It's the rare bank exam where I DON"T have the punch-lock code to the entry door by the 3rd day of the exam. I just love writing it on a small sticky note and handing it to the security officer.
If the Earth were flat, cats would have pushed everything off of it by now.
 
Redocbew
Gold subscriber
Graphmaster Gerbil
Posts: 1205
Joined: Sat Mar 15, 2014 11:44 am

Re: NIST password guidelines updated!

Tue Aug 15, 2017 10:24 pm

It's like wearing scrubs in a big hospital. If you look like you're supposed to be there, then you're supposed to be there. It's a rare thing for someone to stop and say, "hey, you new here?".

Or so I've heard.
Do not meddle in the affairs of archers, for they are subtle and you won't hear them coming.
 
whm1974
Maximum Gerbil
Posts: 4796
Joined: Fri Dec 05, 2014 5:29 am

Re: NIST password guidelines updated!

Wed Aug 16, 2017 12:00 am

Captain Ned wrote:
whm1974 wrote:
That still works? I would have thought that people would have wised up by now.

Social engineering will always work as long as humans are involved. It's the rare bank exam where I DON"T have the punch-lock code to the entry door by the 3rd day of the exam. I just love writing it on a small sticky note and handing it to the security officer.

So how do I prevent myself from become a victim of Social Engineering? I do know better then to just give my password to someone calling me saying they are from the bank or whatever. Anything else I should be aware off?
 
Redocbew
Gold subscriber
Graphmaster Gerbil
Posts: 1205
Joined: Sat Mar 15, 2014 11:44 am

Re: NIST password guidelines updated!

Wed Aug 16, 2017 12:24 am

Be like Mulder. Trust no one.
Do not meddle in the affairs of archers, for they are subtle and you won't hear them coming.
 
Captain Ned
Gold subscriber
Global Moderator
Posts: 26199
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: NIST password guidelines updated!

Wed Aug 16, 2017 12:31 am

whm1974 wrote:
So how do I prevent myself from become a victim of Social Engineering? I do know better then to just give my password to someone calling me saying they are from the bank or whatever. Anything else I should be aware off?

Social engineering works much better in a face-to-face environment. Don't listen to or accept authority automatically. I get the door credentials on day 1 or day 2 by identifying myself as an "auditor" (I am not, as that would mean I'm a CPA, which I am not. Our cover page for exam reports clearly states that it's not an audit, but we are universally referred to by lower-level employees as an "auditor") and ask for the door code on the pretext that I have a whole bunch more stuff to schlep from the car. That works 75% of the time. If I get to day 3 without just asking not working, it's even easier. Employees have seen us in the building, know who we are and why we're there, and make no attempt to protect their entry of door codes from shoulder-surfing.

In any security system the human is ALWAYS the weakest link. Given that I've been doing this for 21 years and have been in all of our regulated institutions more times than I care to count, one would expect that institution security officers would post my picture in the break room ('cause the security officers know what's coming, as the institution knows our arrival date about a month ahead of time) with the stern admonition "tell this guy nothing about the doors". The fact that this hasn't happened in 21 years is somewhat disconcerting.
If the Earth were flat, cats would have pushed everything off of it by now.
 
NovusBogus
Silver subscriber
Graphmaster Gerbil
Posts: 1167
Joined: Sun Jan 06, 2013 12:37 am

Re: NIST password guidelines updated!

Wed Aug 16, 2017 1:15 am

Redocbew wrote:
It's like wearing scrubs in a big hospital. If you look like you're supposed to be there, then you're supposed to be there. It's a rare thing for someone to stop and say, "hey, you new here?".

Or so I've heard.

Obligatory Defcon videos from my all-time favorite infosec speaker, Jayson Street:

https://www.youtube.com/watch?v=JsVtHqICeKE
https://www.youtube.com/watch?v=2vdvINDmlX8
https://www.youtube.com/watch?v=l1OFH_H8PjQ

Social engineering is definitely alive and well; when did it ever leave? Kevin Mitnik famously said that the most powerful tool in his arsenal was a cable-guy outfit. Seriously, list the breaches in the last few years that came from cracking a password or encrypted scheme. Hell, name me just *one*. Now list all the ones where someone found a backdoor into the one database to rule them all, there was an inside man, mass pwnage via domain controller, zero day fun, USB stick full of super secret files, etc. Unique passwords for important stuff (read: money and investments) are definitely a good thing but beyond that it's just security theater. Bad guys don't care about passwords because they don't have to. Even the high and mighty two factor authentication has been sidestepped on numerous occasions by sweet talking the phone company into reassigning a "lost" device's phone number to something else.
 
Captain Ned
Gold subscriber
Global Moderator
Posts: 26199
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: NIST password guidelines updated!

Wed Aug 16, 2017 1:29 am

University of Illinois Urbana-Champaign. 300 USB sticks randomly scattered around parking lots. 48% accessed, the first within 6 minutes of being dropped.

https://www.elie.net/blog/security/conc ... rking-lots
If the Earth were flat, cats would have pushed everything off of it by now.
 
whm1974
Maximum Gerbil
Posts: 4796
Joined: Fri Dec 05, 2014 5:29 am

Re: NIST password guidelines updated!

Wed Aug 16, 2017 1:48 am

Captain Ned wrote:
University of Illinois Urbana-Champaign. 300 USB sticks randomly scattered around parking lots. 48% accessed, the first within 6 minutes of being dropped.

https://www.elie.net/blog/security/conc ... rking-lots

Back when floppies were still in high usage, I knew better then to put one in that I found somewhere.
 
just brew it!
Gold subscriber
Administrator
Posts: 48732
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: NIST password guidelines updated!

Wed Aug 16, 2017 6:42 am

whm1974 wrote:
Captain Ned wrote:
University of Illinois Urbana-Champaign. 300 USB sticks randomly scattered around parking lots. 48% accessed, the first within 6 minutes of being dropped.

https://www.elie.net/blog/security/conc ... rking-lots

Back when floppies were still in high usage, I knew better then to put one in that I found somewhere.

With USB sticks, even if you wipe it you have no guarantee that the firmware hasn't been compromised. Just say no to "found" USB devices.
Nostalgia isn't what it used to be.
 
DragonDaddyBear
Gerbil Elite
Posts: 597
Joined: Fri Jan 30, 2009 8:01 am

Re: NIST password guidelines updated!

Wed Aug 16, 2017 7:18 am

Redocbew wrote:
It's like wearing scrubs in a big hospital. If you look like you're supposed to be there, then you're supposed to be there. It's a rare thing for someone to stop and say, "hey, you new here?".

Or so I've heard.

It is not uncommon for penetration testers to dress like an IT person and say they need to inventory your computer. Really it's just so they can put on a key logger.

About rotating passwords, I honestly think it's silly that some places do it so often on SOME systems. I view password strength in terms of work effort/time, and that all comes down to bits of entropy. With special characters commonly replacing certain words the average person is much better off using many words than just one or two with a substitution. If it would take a year to break your password then I say change it every year. Sadly, Microsoft is still using the NTLM hash for "performance" reasons. That's a very weak hashing method and it is still pretty easy to score the NTDS.dit file. So changing your work password every 60 or 90 days is unlikely to change, even though you can crack almost every NTLM password hash in will under a day.
 
druidcent
Minister of Gerbil Affairs
Posts: 2355
Joined: Wed Aug 07, 2002 7:55 pm
Location: Earth, Sol, Milky Way
Contact:

Re: NIST password guidelines updated!

Wed Aug 16, 2017 8:52 am

Captain Ned wrote:
In any security system the human is ALWAYS the weakest link. Given that I've been doing this for 21 years and have been in all of our regulated institutions more times than I care to count, one would expect that institution security officers would post my picture in the break room ('cause the security officers know what's coming, as the institution knows our arrival date about a month ahead of time) with the stern admonition "tell this guy nothing about the doors". The fact that this hasn't happened in 21 years is somewhat disconcerting.


A friend in the security industry is always complaining of the high turnover, and complete incompetents that he works with.. (I'll grant that about half the issues are his fault), but if the bank security guards are on par with the corporate security guards that I hear about, it really doesn't surprise me at all.. In fact, I'm almost willing to place a bet that whoever knows that you are coming either told a guard manager that isn't there anymore, or just logged it in the system and forgot to tell anyone.
 
Captain Ned
Gold subscriber
Global Moderator
Posts: 26199
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: NIST password guidelines updated!

Wed Aug 16, 2017 9:00 am

Guards? In Vermont? I get my info from the dewy-eyed younv tellers wbo hav to be there before opening and are less resistant to an argument from authority attempt.
If the Earth were flat, cats would have pushed everything off of it by now.
 
Vhalidictes
Gold subscriber
Graphmaster Gerbil
Posts: 1445
Joined: Fri Jan 07, 2005 2:32 pm
Location: Paragon City, RI

Re: NIST password guidelines updated!

Wed Aug 16, 2017 11:44 am

Captain Ned wrote:
Guards? In Vermont? I get my info from the dewy-eyed younv tellers wbo hav to be there before opening and are less resistant to an argument from authority attempt.


Social engineering is mostly about outfit choice and body language. I can't count the number of times I had to get into a building, high 4 figures easily, and it was never an issue for me (spent years as a IT consultant). And my interpersonal skills suck. If I had any actual charisma it would literally be effortless to get around. And yes, government buildings aren't much better than corporate.
 
chuckula
Gold subscriber
Gerbil Jedi
Posts: 1509
Joined: Wed Jan 23, 2008 9:18 pm
Location: Probably where I don't belong.

Re: NIST password guidelines updated!

Wed Aug 16, 2017 11:56 am

Vhalidictes wrote:
Captain Ned wrote:
Guards? In Vermont? I get my info from the dewy-eyed younv tellers wbo hav to be there before opening and are less resistant to an argument from authority attempt.


Social engineering is mostly about outfit choice and body language. I can't count the number of times I had to get into a building, high 4 figures easily, and it was never an issue for me (spent years as a IT consultant). And my interpersonal skills suck. If I had any actual charisma it would literally be effortless to get around. And yes, government buildings aren't much better than corporate.


Did you have a clipboard, hard hat, orange vest, and some form of lanyard? If you have those ingredients then you can probably get in practically anywhere in the world.
4770K @ 4.7 GHz; 32GB DDR3-2133; GTX-1080; 512GB 840 Pro (2x); Fractal Define XL-R2; NZXT Kraken-X60
--Many thanks to the TR Forum for advice in getting it built.
 
whm1974
Maximum Gerbil
Posts: 4796
Joined: Fri Dec 05, 2014 5:29 am

Re: NIST password guidelines updated!

Wed Aug 16, 2017 12:03 pm

Vhalidictes wrote:
Captain Ned wrote:
Guards? In Vermont? I get my info from the dewy-eyed younv tellers wbo hav to be there before opening and are less resistant to an argument from authority attempt.


Social engineering is mostly about outfit choice and body language. I can't count the number of times I had to get into a building, high 4 figures easily, and it was never an issue for me (spent years as a IT consultant). And my interpersonal skills suck. If I had any actual charisma it would literally be effortless to get around. And yes, government buildings aren't much better than corporate.

So if we wanted too we could LARP our way into places we don't belong by dressing right and having enough Charisma?
 
Redocbew
Gold subscriber
Graphmaster Gerbil
Posts: 1205
Joined: Sat Mar 15, 2014 11:44 am

Re: NIST password guidelines updated!

Wed Aug 16, 2017 12:07 pm

whm1974 wrote:
So if we wanted too we could LARP our way into places we don't belong by dressing right and having enough Charisma?


Catch me if you can...
Do not meddle in the affairs of archers, for they are subtle and you won't hear them coming.
 
whm1974
Maximum Gerbil
Posts: 4796
Joined: Fri Dec 05, 2014 5:29 am

Re: NIST password guidelines updated!

Wed Aug 16, 2017 12:18 pm

Redocbew wrote:
whm1974 wrote:
So if we wanted too we could LARP our way into places we don't belong by dressing right and having enough Charisma?


Catch me if you can...

I've seen that movie.
 
Glorious
Gold subscriber
Grand Admiral Gerbil
Posts: 10029
Joined: Tue Aug 27, 2002 6:35 pm

Re: NIST password guidelines updated!

Wed Aug 16, 2017 12:38 pm

whm1974 wrote:
So if we wanted too we could LARP our way into places we don't belong by dressing right and having enough Charisma?


Most, not all.

That's because most places have "security" to basically make sure homeless people don't squat in the lobby. If you look like you know what you are doing and are dressed appropriately, you don't even get noticed typically.

Likewise with badge doors, they exist so drunks don't just wander in. If you look like you know what you are doing etc..., you just follow someone in. Most places don't even bother to try and make it socially clear that you shouldn't just let someone in behind you, much less piss everyone off by actually punishing someone for it.

At my plant, for instance, it's all very seriously fenced/walled off topped with concertina wire and you can only get in via foot by one-person metered full turnstiles operated by badges. The vehicle gates are manned and serious too. There are armed guards, security vehicles etc... I've seen them chase off people just taking pictures from the outside!

But, you know, this is heavy industry. Hence with rail. Specifically, numerous rail lines that go into the plant. :wink:

Sure, they aren't all that obvious and inconveniently located for foot/vehicle traffic. But, if you are motivated and think about it for a moment, I mean, there *might* some DVR system "guarding" those various entry points...?

---

I've never been in the military etc..., but I'm pretty sure the only way they've found around this problem is authorizing the low-level guys at the entry points to *KILL* anyone who (almost certainly legitimately) is a higher ranked officer who "forget" his documents/whatever and is trying to just bully his way in despite procedure.

It really does take that level of credible deterrence to even approach being full-proof.

Who is online

Users browsing this forum: No registered users and 1 guest