Is this "don't microwave your hamster"-requirement a result of the bcrypt trouble [1] or how comes?
[1] https://security.stackexchange.com/questions/39849/does-bcry...
My wife's bank was using a numeric id as the login until last month. They had token based and then app based codes instead of passwords, which was decent.
This month they forced her to pick an user name instead of the numeric code to login. They required her to have at least one capital letter and a number. In the user.
According to Gemini it's the 8th largest European bank :)
1. Requiring certain characters is a limit on which characters are selected. An attacker now knows to look for at least one digit, upper case char, and one of 10 special chars. This is a smaller selection of characters than the whole of all characters that were available before, so it decreases entropy.
2. Most users choose weak simple passwords with low entropy. Requiring users to use some characters that they wouldn't otherwise increases the entropy as it increases the selection of characters in the password.
I actually don't believe 2, as most users will just start with an upper case char and end with 1!, so the entropy will still decrease for most users, as they will choose easily guessable placements for these required chars.
*) plain-text here means any and all methods that give the attacker access to the original password, including modifying client-side JS.
I’ve been noticing this downward spiral for more than a decade now. It’s becoming unmanageable to use authentication.
It’s MFA, passwords and passkeys in multiple forms. I have to reach several times a day for the phone to get yet another MFA from the Authenticator or SMS to login the same site I’ve used yesterday. Constant nagging for “security“ from everywhere, and on top of these, these unproductive password changes requests described in the article.
I been thinking about it the last months, and we really need a paradigm shift when it comes to authentication. I’m not knowledgeable enough to know what, but I can see the problem pilling up in front of my own eyes.
* max 64 chars “should” requirement? vs. no truncation?
* what about pin-codes?
* the password process is still very much a hot mess, standardize registration, IIA, updating, cancellation
* protection of passwords at-rest, salt your passwords
"Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator"
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...
Also worth pointing out that NIST doesn't set policy, so unfortunately this doesn't directly "forbid" anything, though many other policies reference 800-63.