Friday, July 28, 2017

Passwords Evolved: Authentication Guidance for the Modern Era

Troy Hunt (via Hacker News):

These are simple examples but the thought process I’m trying to get going is that we can be a lot smarter than the traditional binary authentication state that still prevails in the vast majority of systems today.

[…]

In addition to the problems mentioned above, short arbitrary limits like this regularly cause people to speculate that password storage is insufficient. When cryptographically hashed, all passwords are stored with the same fixed length so an arbitrary limit such as the one above may indicate the password is stored in a plain text and the column only allows 10 characters.

[…]

What tends to happen when there are requirements around password complexity is that people first try something basic then they tweak characters until it comes up to the minimum requirement of the site.

[…]

Closely related to the use of password managers is the ability to paste passwords into the login screen. There are plenty of password managers that can auto-fill credentials, but there are occasions where either pasting is still necessary or where a service blocks a password that hasn’t been typed in character by character (easily identified with a bit of JavaScript).

[…]

Let’s think through the rationale of this approach for a moment: the premise of a regular password change is that should that password be compromised, forcing a change means it is no longer valid, ergo it cannot be used by malicious parties. The problem is, attackers have got up to 3 months in the example I gave earlier or in some cases, even longer[…]

Comments RSS · Twitter

Leave a Comment