• andyburke
    link
    fedilink
    681 year ago

    FWIW: these types of password rules are discouraged by NIST -

    1. Eliminate Periodic Resets

    Many companies ask their users to reset their passwords every few months, thinking that any unauthorized person who obtained a user’s password will soon be locked out. However, frequent password changes can actually make security worse.

    It’s difficult enough to remember one good password a year. And since users often have numerous passwords to remember already, they often resort to changing their passwords in predictable patterns, such as adding a single character to the end of their last password or replacing a letter with a symbol that looks like it (such as $ instead of S).

    So if an attacker already knows a user’s previous password, it won’t be difficult to crack the new one. The NIST guidelines state that periodic password-change requirements should be removed for this reason.

    • @[email protected]
      link
      fedilink
      181 year ago

      They also recommend implementing 2FA, but not OTP or TOTP as they are now considered not secure enough. Use 2FA that is FIDO2 compliant such as biometrics or fobs like Yubikey.

      • RQG
        link
        fedilink
        181 year ago

        I wish I knew what all those acronyms mean.

        • @[email protected]
          link
          fedilink
          19
          edit-2
          1 year ago

          2FA - Two factor authentication, you get asked a second secret besides your password. Banks used to give users a card with codes that you had to find and input when authenticating with them.

          OTP - one time password, you receive a code over SMS or mail.

          TOTP - Time based one time password, you have to have an authentication app that creates a clock based cryptographic code.

          FIDO2 - fast identity online standard version 2, is a set of ID verification technologies. Usually you’re asked to confirm access on another certified device. Like google asking you to check your phone for a notification when logging into a new browser.

        • @[email protected]
          link
          fedilink
          6
          edit-2
          1 year ago

          2FA: two factor authentication. So using a password (something you know) in combination with something else, like something you are (biometrics) or something you have (security token, phone with authenticator app)

          OTP: One-time password. A password you can only use once. Can be a list of passwords where you have to use the next one on the list with each login or any other mechanism that provides a unique password for each login.

          TOTP: Time-based one time password. An OTP scheme where the password is derived from a shared secret and the current time. Like Google Authenticator.

          FIDO2: Fast IDentity Online version 2. A standard that lets you use an authentication device to log into online services. This can be in the form of a USB key or something built into your computer (e.g. on a Mac you can use the built-in fingerprint scanner).

      • Polar
        link
        fedilink
        31 year ago

        How is a TOTP not secure? It’s a random string that changes every 30 seconds. I mean shit, I am LOOKING at it, and sometimes fail a login because I run out of time.