Untitled attachment

Notices where this attachment appears

1. Embed this notice
   Royce Williams (tychotithonus@infosec.exchange)'s status on Thursday, 26-Sep-2024 03:51:25 JST Royce Williams

   (To be clear, we're talking about truly "must be memorized" secrets: the "initial" passwords to your password manager, your AD / VPN login, etc.)

   These NIST principles:

   • "length is more important that complexity"

   • "forced rotation is bad"

   ... are a start, but they are all outdated proxies for the only true password principle:

   • "uniqueness is more important than anything"

   This uniqueness s not terribly hard. A five-word random passphrase from a 20K+ dictionary, with no other requirements:

   • is globally unique for most practical purposes
   • is longer than every platform's minimum
   • is infeasible to crack for most threat models¹
   • can be memorized without a ton of effort

   And if you're dealing with a system that enforces other complexity, just apply the same complexity every time. This is safe because the strength of the password comes from the number of combinations. Capitalizing the first word, and appending 1 and an underscore is what I do to meet naive complexity. And I'm totally fine sharing that with the world because that's not what makes my passwords strong.

   And if the platform has a length maximum, it's usually not one that requires memorization, and the password can just be set to random 15 ASCII chars and stored in your password manager.

   tl;dr Give your users a password manager, and teach them to make random passphrases for their must-be-memorized secrets. Anything else is wasting time, teaching them things that are already outdated.

   ¹This is 3x1021 combinations. Worried about nation states or aliens? Use a bigger wordlist ... or just add one more word. Instantly makes it 20K+ times harder to crack (6x1025).