feddit.org

Local All Communities Log in Sign up

Local All Communities

542

NIST proposes barring some of the most nonsensical password rules(arstechnica.com)

posted 9 days ago

by

Amicitas@lemmy.world

in

technology@lemmy.world

Here is the text of the NIST sp800-63b Digital Identity Guidelines.

Sort:

Hot Top Controversial New Old

You are viewing a single thread.

View all comments View context

[ +- ]

Amanduh@lemm.ee

8 points

9 days ago

Can you elaborate further? Why would someone want to truncate passwords to begin with?

report

reply

[ +- ]

essteeyou@lemmy.world

23 points

9 days ago

To save a few megabytes of text in a database somewhere. Likely the same database that gets hacked.

report

reply

[ +- ]

orclev@lemmy.world

28 points

9 days ago

Which shouldn’t even matter because passwords are salted and hashed before storing them, so you’re not actually saving anything. At least they better be. If you’re not hashing passwords you’ve got a much bigger problem than low complexity passwords.

report

reply

[ +- ]

essteeyou@lemmy.world

33 points

9 days ago

The place that truncates passwords is probably not the place to look for best practices when it comes to security. :-)

report

reply

[ +- ]

orclev@lemmy.world

5 points

8 days ago

Hashing passwords isn’t even best practice at this point, it’s the minimally acceptable standard.

report

reply

[ +- ]

Tywèle [she|her]@lemmy.dbzer0.com

2 points

8 days ago

*

What is the best practice currently?

report

reply

[ +- ]

pivot_root@lemmy.world

8 points

8 days ago

*

Use a library. It’s far too easy for developers or project managers to fuck up the minimum requirements for safely storing passwords.

But, if you are wanting to do it by hand…

Don’t use a regular hashing algorithm, use a password hashing algorithm
Use a high iteration count to make it too resource-intensive to brute force
Salt the hash to prevent rainbow tables
Salt the hash with something unique to that specific user so identical passwords have different hashes

report

reply

Show more comments

Show more comments

Show more comments

[ +- ]

frezik@midwest.social

1 point

8 days ago

*

Sorta. Not really.

Key derivation algorithms are still hashes in most practical ways. Though they’re derived directly from block ciphers in most cases, so you could also say they’re encrypted. Even though people say to hash passwords, not encrypt them.

I find the whole terminology here to be unenlightening. It obscures more than it understands.

report

reply

[ +- ]

orclev@lemmy.world

2 points

8 days ago

A KDF is not reversible so it’s not encryption (a bad one can be brute forced or have a collision, but that’s different from decrypting it even if the outcome is effectively the same). As long as you’re salting (and ideally peppering) your passwords and the iteration count is sufficiently high, any sufficiently long password will be effectively unrecoverable via any known means (barring a flaw being found in the KDF).

The defining characteristic that separates hashing from encryption is that for hashing there is no inverse function that can take the output and one or more extra parameters (secrets, salts, etc.) and produce the original input, unlike with encryption.

report

reply

Show more comments

Show more comments

Show more comments

Show more comments

Show more comments

[ +- ]

frezik@midwest.social

1 point

8 days ago

*

Lots of older databases had fixed length fields, and you had to pad it if it was smaller. VARCHAR is a relatively new thing. So it’s not just saving space, but that old databases tended to force the issue.

Nobody has an excuse today. Even Cobol has variable length strings.

report

reply

Technology

!technology@lemmy.world

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

@L4s@lemmy.world
@autotldr@lemmings.world
@PipedLinkBot@feddit.rocks
@wikibot@lemmy.world

Community stats

18K
Monthly active users
5.2K
Posts
96K
Comments

Community moderators

L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4sBot@fry.gsB
L4sBot@lemmy.worldB

modlog legal instances join-lemmy.org

lemmy-ui-next v0.11.0 (github)lemmy v0.19.5 (github)