Here is the text of the NIST sp800-63b Digital Identity Guidelines.

  • VantaBrandon@lemmy.world
    link
    fedilink
    English
    arrow-up
    53
    ·
    3 months ago

    How about making it illegal to block copying and pasting on website forms. I’m literally more likely to make a mistake by typing a routing number than copying and pasting it. The penalty for should be death by firing into the sun to anyone caught implementing any such stupidity.

    • johannesvanderwhales@lemmy.world
      link
      fedilink
      English
      arrow-up
      42
      ·
      3 months ago

      Frankly I’m mostly annoyed that my browser allows web sites to block cut and paste, ever. I am capable of making my own decisions over whether I want to cut and paste.

      There are plugins that will disallow this. I think the one I use is “don’t fuck with paste”

      • dual_sport_dork 🐧🗡️@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        ·
        3 months ago

        Ooh, ooh. And for implementing any Javascript or jQuery or whatever that pops up some kind of smarmy message when you right click: Believe it or not, straight to jail.

        Plus, that kind of thing is not going to prevent anyone from scraping images from anywhere if they have the capability to lift a finger to press F12.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          3 months ago

          Exactly.

          My host decided to update their TOS to force me to accept binding arbitration, so I Inspect Elemented that right off the page and sent a message to support to end my service effective immediately (had been a paying customer for years). You’re not going to bully me on my own browser…

      • D_Air1@lemmy.ml
        link
        fedilink
        English
        arrow-up
        7
        ·
        3 months ago

        Browsers shouldn’t allow half of the stuff that they allow. You have to do the same thing not just with copy and paste, but also searching on the page with ctrl + f. Like I don’t care that websites won’t to create their own experience. Don’t mess with browser behavior.

        • JustARaccoon@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          3 months ago

          You really want to memorise different shortcuts for search? What if you’re on a web app like discord? Ctrl+f isn’t gonna be as useful as a built in search solution that has access to data that isn’t visible until searched for. I get the issues on disabling the features but if they’re replacing browser behaviour with something that suits the site better I think that’s alright as long as it’s not s downgrade.

          • D_Air1@lemmy.ml
            link
            fedilink
            English
            arrow-up
            1
            ·
            3 months ago

            All too often it is a downgrade though. A lot of those webapps have terrible search and I only want to search for what is on the current page anyways. For example reddit search has been notoriously bad for a long time. Half the forums online seem to be using the exact same open source software with the exact same terrible search. When all too often I just want to find what is on the current page anyways.

    • kalpol@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      3 months ago

      Don’t forget you save lots of fuel by firing out of the solar system instead

  • umami_wasabi@lemmy.ml
    link
    fedilink
    English
    arrow-up
    42
    ·
    edit-2
    3 months ago

    the document is nearly impossible to read all the way through and just as hard to understand fully

    It is a boring document but it not impossible to read through, nor understand. The is what compliances officer do. I have a (useless) cybersecurity degree and reading NIST publications is part of my lecture.

    • GoofSchmoofer@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 months ago

      It sets both the technical requirements and recommended best practices for determining the validity of methods used to authenticate digital identities online. Organizations that interact with the federal government online are required to be in compliance

      My argument is that if this document (and others) are requirements for companies shouldn’t there also be a more approachable document for people to use?

      Sure, have the jargon filled document that those in the know can access, but without an additional not so jargon-y document you’ve just added a barrier to change. Maybe just an abstract of the rule changes on the front page without the jargon?

      I don’t know, maybe it’s not a big deal to compliance officers but just seems to me (someone that isn’t a compliance officer) that obfuscating the required changes behind jargon and acronyms is going to slow adoption of the changes.

  • Madblood@lemmy.world
    link
    fedilink
    English
    arrow-up
    26
    ·
    3 months ago

    Don’t bug users to change passwords periodically. Only do it if there’s evidence of compromise.

    About damn time. I log into my company laptop with a smart card and PIN or a PIN/authenticator code, computer autoconnects to the VPN, and I’m good to go. If there’s no internet available, the smart card will still get me into my computer. If I’m on my personal computer, I log in with the PIN/authenticator. This morning I tried really hard to find someplace where I had the option of entering a password and there is none, yet I have to change my password every 6 months. At least my IT department lets me use KeePass.

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      edit-2
      3 months ago

      Eh, I think they should nag users to change their password proportional to how “strong” their password is. If you’re barely meeting the minimum: reset every few months. If you’re using a proper passphrase dozens of characters long: only reset if there’s evidence of compromise.

  • Semi-Hemi-Lemmygod@lemmy.world
    link
    fedilink
    English
    arrow-up
    20
    ·
    3 months ago

    One thing they should change is the word “password.” This implies that it’s a short string. Changing it to “passphrase” will help people feel comfortable choosing credentials like “correct horse battery staple.”

    • Soggy@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      3 months ago

      I recently set up a password with a 16 character max, alphanumeric only, no spaces. The service is in no way a security threat but still.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        3 months ago

        A couple years ago I ran into one with a 12 character limit…

        I never understood password limits, other than something sufficiently large like 256 to prevent DOS. It’s not like the password is actually being stored anywhere… right? RIGHT??

  • jj4211@lemmy.world
    link
    fedilink
    English
    arrow-up
    17
    ·
    3 months ago

    Meanwhile, my company has systems insisting on expiring ssh keys after 90 days…

      • jj4211@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        3 months ago

        You are going to give them ideas…

        Ironically, reinstall the whole system, make sure to add some CrowdStrike, SolarWinds, and Ivanti for security and management though…

    • TBi@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      3 months ago

      My company blocked ssh keys in favour of password + 2FA. Honestly I don’t mind the 2FA since we use yubikeys, but wouldn’t ssh key + 2FA be better?

      • jj4211@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        3 months ago

        All well and good when ssh activity is anchored in a human doing interactive stuff, but not as helpful when there’s a lot of headless automation that has to get from point a to point b.

  • ctkatz@lemmy.ml
    link
    fedilink
    English
    arrow-up
    16
    ·
    3 months ago

    i had to login for some functions at work. i believe the minimums were 8 characters, 1 caapitol, 1 number. and we all hated it, because the passwords had to be changed every 90 days, and you couldn’t reuse passwords. eventually you are going to run out of things you can reasonably use that you could remember and then would be forced to use some sort of password manager. but OOPSIE you couldn’t install any software on the office computer so you would have to resort to writing them down somewhere. it was a mess.

    fortunately corporate decided to just change the entire system adopting most of these rules, min 15 characters, no special character, no hints, no forced changing passwords unless you think you have been compromised or just want to change it. we do have to use 2fa to access some things if you aren’t sitting at the office computer but other than that people are much happier about passwords now.

      • WhatAmLemmy@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        3 months ago

        I would always just create 1 password and append a number and it’s special char, cycling from 1 to 0; like 1!, 2@, 3#. Never stayed at a place long enough to go higher than 7 or 8.

        I never gave a fuck about doing this because it’s the companies fault for applying stupid policies. Whenever I’ve been allowed a password manager, they got real security instead of malicious compliance.

  • Classy@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    15
    ·
    3 months ago

    The app my work uses to show 401k, pay, request leave, etc details, uses a ridiculous webapp that’s very slow, and on top of this, they nag you literally every 4 months to update your password. I used to be a good boy and memorize a new password each time. Now I just add a new letter into BitWarden and it’s my new password. Apparently this is more secure??

    • chiliedogg@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      3 months ago

      I just add 1 to the number at the end of my password every time they force a change.

      I’m on 18 right now.

  • BelatedPeacock@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    arrow-down
    1
    ·
    3 months ago

    At roughly 35,000 words and filled with jargon and bureaucratic terms, the document is nearly impossible to read all the way through and just as hard to understand fully.

    A section devoted to passwords injects a large helping of badly needed common sense practices that challenge common policies. An example: The new rules bar the requirement that end users periodically change their passwords. This requirement came into being decades ago when password security was poorly understood, and it was common for people to choose common names, dictionary words, and other secrets that were easily guessed.

    Since then, most services require the use of stronger passwords made up of randomly generated characters or phrases. When passwords are chosen properly, the requirement to periodically change them, typically every one to three months, can actually diminish security because the added burden incentivizes weaker passwords that are easier for people to set and remember.

    A.k.a use a password manager for most things and a couple of long complex passwords for things that a password manager wouldn’t work for (the password manager’s password, encrypted system partitions, etc). I’m assuming In just summed up 35,000 words.