this post was submitted on 26 Sep 2024
547 points (99.6% liked)

Technology

58303 readers
24 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
547
NIST proposes barring some of the most nonsensical password rules (arstechnica.com)
submitted 3 weeks ago by [email protected] to c/[email protected]
152 comments fedilink hide all child comments
 

Here is the text of the NIST sp800-63b Digital Identity Guidelines.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 3 points 3 weeks ago (3 children)

Cracking an 8-char on an ordinary desktop or laptop PC can still take quite a while depending on the details. Unfortunately, the existence of specialized crypto-coin-mining rigs designed to spit out hashes at high speed, plus the ability to farm things out into the cloud, means that the threat we're facing is no longer the lone hacker cracking things on his own PC.

[–] [email protected] 2 points 3 weeks ago* (last edited 3 weeks ago) (2 children)

Newer password hashing algorithms have ways of combatting this. For example, argon2 will use a large amount of memory and CPU and can be tuned for execution time. So theoretically you could configure it to take 0.5 seconds per hash calculation and use 1 GB or more of ram. That's going to be extremely difficult to bruteforce 8 characters.

The trade-off is it will take a second or two to login each time, but if you've got some secondary pin system in place for frequent reauthentication, it can be a pretty good setup.

Another disadvantage is the algorithm effectively gets less secure the less powerful your local device is. Calculating that same 0.5s hash on a beefy server vs your phone could make it take way longer or even impossible without enough ram.

[–] [email protected] 1 points 3 weeks ago (1 children)

Unfortunately, it's rare that we can control what hashing algorithm is being used to secure the passwords we enter. I merely pray that any account that also holds my credit card data or other important information isn't using MD5. Some companies still don't take cybersecurity seriously.

[–] [email protected] 4 points 3 weeks ago

Storing credit card data has its own set of strict security rules that need to be followed. It's also the credit card company's problem, not yours, as long as you dispute any fraudulent charges early enough.

I'm coming at this from the perspective of a developer. A user can always use a longer password (and you should), but it's technically possible to make an 8 character password secure, thus the NIST recommend minimum.