i had to login for some functions at work. i believe the minimums were 8 characters, 1 caapitol, 1 number. and we all hated it, because the passwords had to be changed every 90 days, and you couldn’t reuse passwords. eventually you are going to run out of things you can reasonably use that you could remember and then would be forced to use some sort of password manager. but OOPSIE you couldn’t install any software on the office computer so you would have to resort to writing them down somewhere. it was a mess.
fortunately corporate decided to just change the entire system adopting most of these rules, min 15 characters, no special character, no hints, no forced changing passwords unless you think you have been compromised or just want to change it. we do have to use 2fa to access some things if you aren’t sitting at the office computer but other than that people are much happier about passwords now.
Don’t bug users to change passwords periodically. Only do it if there’s evidence of compromise.
Don’t store password hints that others can guess.
Don’t prompt the user to use knowledge-based authentication.
Don’t truncate passwords for verification.
I was expecting idiotic rules screaming “bureaucratic muppets don’t know what they’re legislating on”, but instead what I’m seeing is surprisingly sane and sensible.
NIST generally knows what they’re doing. Want to overwrite a hard drive securely? NIST 800-88 has you covered. Need a competition for a new block cipher? NIST ran that and AES came out of it. Same for a new hash with SHA3.
I hate that anyone has to be told not to truncate passwords. Like even if you haven’t had any training at all, you’d have to be advanced stupid to even come up with that idea in the first place.
Very common for pass phrases, and not dissuaded. Pass phrases are good for people to remember without using poor storage practices (post it notes, txt file, etc) and are strong enough to keep secure against brute force attacks or just guessing based off knowledge of the user.
Any password length (within reason) and any character should be allowed. It’s going to be hashed and only the hash will be stored right? Length and character limits make me suspect it’s being stored in plain text.
Then you’re vulnerable to simple brute force attacks, which if paired with a dumped hash table, can severely cut the time it takes to solve the hash and reveal all passwords.
I don’t know about a min length; setting a lenient lower bound means that any passwords in that space are going to be absolutely brutal force-able (and because humans are lazy, there are almost certainly be passwords clustered around the minimum).
I very much agree with the rest though, it’s unnerving when sites have a low max length. It almost feels like advertising that passwords aren’t being hashed and if that’s the case there’s a snowball’s chance in hell that they’re also salted. Really restrictive character sets also tell me that said site / company either has super old infra or doesn’t know how to sanitize strings (or entirely likely both)…
Rules here are 64 as a reasonable maximum. A lot of programmers don’t realize that bcrypt and scrypt max at 72 bytes (which may or may not be the same as 72 characters). You can get around it by prehashing, but meh. This is long enough even for a reasonable passphrase scheme.
the document is nearly impossible to read all the way through and just as hard to understand fully
It is a boring document but it not impossible to read through, nor understand. The is what compliances officer do. I have a (useless) cybersecurity degree and reading NIST publications is part of my lecture.
My career as a sysadmin consistently has me veering toward security and compliance and my brain is absolutely fried on trying to figure out what these huge docs actually mean, how they apply to the things I’m responsible for and what we’re supposed to do about it.
Props to all the folks that can do it without losing their mind.
Useless??? Ever since the pandemic and the need for a robust remote work infrastructure, the amount of cybersecurity related job offers has exploded. And they’re very well paid where I live.
At roughly 35,000 words and filled with jargon and bureaucratic terms, the document is nearly impossible to read all the way through and just as hard to understand fully.
A section devoted to passwords injects a large helping of badly needed common sense practices that challenge common policies. An example: The new rules bar the requirement that end users periodically change their passwords. This requirement came into being decades ago when password security was poorly understood, and it was common for people to choose common names, dictionary words, and other secrets that were easily guessed.
Since then, most services require the use of stronger passwords made up of randomly generated characters or phrases. When passwords are chosen properly, the requirement to periodically change them, typically every one to three months, can actually diminish security because the added burden incentivizes weaker passwords that are easier for people to set and remember.
A.k.a use a password manager for most things and a couple of long complex passwords for things that a password manager wouldn’t work for (the password manager’s password, encrypted system partitions, etc). I’m assuming In just summed up 35,000 words.
This guy is no different than every other smarmy “Tech Reviewer” on YT. His reviews have been borderline useless for the last few years. This is just the next logical step that these guys take - hitch themselves onto a tech accessory or app and charge their followers predatory prices - fuck this guy.
It’s kind of a paradox when you think about it. Good reviewers are often just regular people with a passion for tech but as they become more popular and prolific they become part of the industry itself. Once that happens even if they try to stay objective and critical their perspective is so different from regular people that reviews are just part of the sales and marketing strategy rather than pro tips from an enthusiast.
If we boil this article down to it’s most basic point, it actually has nothing to do with virtualization. The true issue here is actually centralized infra/application management. The article references two ESXi CVE’s that deal with compromised management interfaces. Imagine a scenario where we avoid virtualization by running Kubernetes on bare metal nodes, and each Pod gets exclusive assignment to a Node. If a threat actor has access to the Kubernetes management interface, and can exploit a vulnerability to access that management interface, it can immediately compromise everything within that Kubernetes cluster. We don’t even need to have a container management platform. Imagine a collection of bare-metal nodes managed by Ansible via Ansible Automation Platform (AAP). If a threat actor has access to AAP and exploit it, it then can compromise everything managed by that AAP instance. This author fundamentally misattributes the issue to virtualization. The issue is centralized management and there are significant benefits to using higher-order centralized management solutions.
“curated wallpapers” including random generated stuff, and “shares profits” on a 50/50 basis, for a shitty app developed by what looks like three fivers in a trench coat.
Pro tip, if you suspect the police are going to take your phone, turn it off. As far as I am aware, finger print and face id do not work on initial startup and they can’t compel you to enter your pin without a warrant.
Double check this in the state or country you’re in. I recall something from a few years ago where the police could force you to give a swipe pattern and maybe pin since these items are not covered in the same way that a password is.
Maybe in some countries but in a western one they aren’t getting a pattern or passcode unless you verbally give it to them. We do know though that there is some level of capability to crack phones though.
That article is SO wrong. You don’t run one instance of a tier1 application. And they are on separate DCs, on separate networks, and the firewall rules allow only for application traffic. Management (rdp/ssh) is from another network, through bastion servers. At the very least you have daily/monthly/yearly (yes, yearly) backups. And you take snapshots before patching/app upgrades. Or you even move to containers, with bare hypervisors deployed in minutes via netinstall, configured via ansible. You got infected? Too bad, reinstall and redeploy. There will be downtime but not horrible. The DBs/storage are another matter of course, but that’s why you have synchronous and asynchronous replicas, read only replicas, offsites, etc. But for the love of what you have dear, don’t run stuff on bare metal because “what if the hypervisor gets infected”. Consider the attack vector and work around that.
You can prevent downtime by mirroring your container repository and keeping a cold stack in a different cloud service. We wrote an loe, decided the extra maintenance wasn’t worth the effort to plan for provider failures. But then providers only sign contracts if you are in their cloud and you end up doing it anyways.
Unfortunately most victims aren’t using best practices let alone industry standards. The author definitely learned the wrong lesson though.
technology
Hot
This magazine is from a federated server and may be incomplete. Browse more on the original instance.