[OPLIN 4cast] OPLIN 4cast #543: Even the government agrees password security guidelines are awful

OPLIN Support via OPLIN4cast oplin4cast at lists.oplin.org
Wed May 24 10:30:15 EDT 2017 

Email not displaying correctly? View it in your browser.
<http://www.oplin.org/4cast/>
[image: OPLIN 4Cast]

OPLIN 4cast #543: Even the government agrees password security guidelines
are awful
May 24th, 2017

[image: Really bad password example] Are you tired of changing your
password every few months? Annoyed by the stringent level of complexity so
many applications and websites now require of your passwords? You're not
alone and, more importantly, those measures don't actually seem to do much
in terms of enhancing security. It's now gotten to the point where the
United States National Institute for Standards and Technology (NIST) has
drafted new guidelines for passwords for the public sector. These
guidelines are surprisingly progressive. They eliminate periodic password
changes and remove imposed password complexity; instead, passwords will be
checked directly against a list of commonly-used, expected, or compromised
passwords. This way, users will be prevented from creating passwords like
"12345678." No exact ETA yet on when these changes will be implemented, but
this is a huge step in combating password fatigue and towards making
passwords actually more secure.

   -
   - New password guidelines say everything we thought about passwords is
   wrong
   <https://venturebeat.com/2017/04/18/new-password-guidelines-say-everything-we-thought-about-passwords-is-wrong/>[Venture
   Beat] "Although NIST’s rules are not mandatory for nongovernmental
   organizations, they usually have a huge influence as many corporate
   security professionals use them as base standards and best practices when
   forming policies for their companies."
   - Vendors approve of NIST password draft
   <http://www.csoonline.com/article/3195181/data-protection/vendors-approve-of-nist-password-draft.html>
[CSO
   Online] "NIST’s Paul Grassi, one of the authors of the report, noted that
   many of the above guidelines are now only strong suggestions and are not
   mandatory yet. The public comment period closed on May 1 and now the draft
   goes through an internal review process. It is expected to be completed by
   early to mid summer."
   - NIST’s new password rules – what you need to know
   <https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/>
   [Naked Security] "Additionally, and this is a big change: SMS should no
   longer be used in two-factor authentication (2FA). There are many problems
   with the security of SMS delivery, including malware that can redirect text
   messages; attacks against the mobile phone network (such as the
so-called SS7
   hack
   <https://www.theguardian.com/technology/2016/apr/19/ss7-hack-explained-mobile-phone-vulnerability-snooping-texts-calls>);
   and mobile phone number portability."
   - What’s a Good Password? NIST says One that hasn’t been stolen
   <https://securityledger.com/2017/05/whats-a-good-password-nist-says-one-that-hasnt-been-stolen/>
   [The Security Ledger] "Together, the recommendations offer
   counter-intuitive, but well supported advice on how to coach users to
   select more secure passwords to protect their accounts. For example, NIST’s
   guidelines suggest abandoning length and complexity requirements for
   passwords, such as requiring passwords of a certain length and mandating
   the use of letters, numbers and special characters in the password. Such
   practices are the bedrock of most current password regimes, but NIST said
   they often work at cross purposes with efforts to protect accounts."

*Articles from the Ohio Web Library <http://ohioweblibrary.org>:*

   - NIST seeking to move beyond passwords
   <http://proxy.ohiolink.edu:9099/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=bwh&AN=wapo.ce5efca2-5104-11e1-9f89-15d8d29d7ba1&site=ehost-live>
   (Marjorie, C. (2). NIST seeking to move beyond passwords. *Washington
   Post, The*.)
   - The National Institute of Standards and Technology
   <http://proxy.ohiolink.edu:9099/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=115651433&site=ehost-live>.
   (Anders, S. B. (2016). The National Institute of Standards and
Technology. *CPA
   Journal*, 72-73.)
   - Your E-mail Password Will Never Be Safe
   <http://search.ebscohost.com.proxy.oplin.org/login.aspx?direct=true&db=cmh&AN=120240170>(Pogue,
   D. (2017). Your E-mail Password Will Never Be Safe. *Scientific American*,
   *316*(1), 24.)

------------------------------
The *OPLIN 4cast* is a weekly compilation of recent headlines, topics, and
trends that could impact public libraries. You can subscribe to it in a
variety of ways, such as:

   - *RSS feed.* You can receive the OPLIN 4cast via RSS feed by
   subscribing to the following URL: http://www.oplin.org/4cast/
   index.php/?feed=rss2.
   - *Live Bookmark.* If you're using the Firefox web browser, you can go
   to the 4cast website (http://www.oplin.org/4cast/) and click on the
   orange "radio wave" icon on the right side of the address bar. In Internet
   Explorer 7, click on the same icon to view or subscribe to the 4cast RSS
   feed.
   - *E-mail.* You can have the OPLIN 4cast delivered via e-mail (a'la
   OPLINlist and OPLINtech) by subscribing to the 4cast mailing list at
   http://lists.oplin.org/mailman/listinfo/OPLIN4cast
   <http://lists.oplin.org/mailman/listinfo/OPLIN4cast>.

© 2016 Ohio Public Library Information Network
[image: Find us on Slideshare] <http://www.slideshare.net/oplin>  [image:
Find us on Facebook] <http://www.facebook.com/oplin.org>  [image: Find us
on Google+] <https://plus.google.com/107751358238995507967>  [image: Find
us on Twitter] <http://www.twitter.com/oplin>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplin4cast/attachments/20170524/fc620838/attachment.html>

More information about the OPLIN4cast mailing list