<div dir="ltr"><div><div class="m_1270665552182082886gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">
<table class="m_1270665552182082886backgroundTable" bgcolor="#ffffff" cellpadding="0" cellspacing="0" width="100%">
<tbody>
<tr>
<td align="left" valign="top">
<table cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td style="border-top:0px solid rgb(0,0,0);border-bottom:1px solid rgb(255,255,255);background-color:rgb(255,255,255);text-align:center" align="center"><span style="font-size:10px;color:rgb(96,96,96);line-height:200%;font-family:verdana;text-decoration:none">Email not displaying correctly? <a href="http://www.oplin.org/4cast/" style="font-size:10px;color:rgb(0,0,255);line-height:200%;font-family:verdana;text-decoration:none" target="_blank">View it in your browser.</a></span></td>
</tr>
<tr>
<td style="border-top:0px solid rgb(51,51,51);border-bottom:0px solid rgb(255,255,255);background-color:rgb(255,255,255)">
<center><a><img id="m_1270665552182082886editableImg1" src="http://www.oplin.org/4cast/wp-content/themes/unlimited/assets/images/4cast_email_header.png" title="OPLIN" alt="OPLIN 4Cast" align="middle" border="0"></a></center>
</td>
</tr>
</tbody>
</table>
<table style="width:763px;height:877px" bgcolor="#ffffff" cellpadding="20" cellspacing="0">
<tbody>
<tr>
<td style="font-size:12px;color:rgb(0,0,0);line-height:150%;font-family:'Gothic Sans',sans-serif" bgcolor="#ffffff" valign="top">
<p> <span style="font-size:20px;font-weight:bold;color:rgb(0,0,0);font-family:arial;line-height:110%">OPLIN 4cast #543: Even the government agrees password security guidelines are awful</span><br>
<span style="font-size:11px;font-weight:normal;color:rgb(102,102,102);font-style:italic;font-family:arial">May 24th, 2017</span></p>
<p style="text-align:justify;font-size:16px;font-family:arial;line-height:110%"><img align="left" class="m_1270665552182082886alignleft m_1270665552182082886size-full m_1270665552182082886wp-image-6101" src="http://4cast.oplin.org/wp-content/uploads/2017/05/password.png" alt="Really bad password example" width="130" height="94" style="padding-right: 14px; padding-top: 4px; padding-bottom: 4px;" title=""> Are you tired of changing your password every few months? Annoyed by the stringent level of complexity so many applications and websites now require of your passwords? You're not alone and, more importantly, those measures don't actually seem to do much in terms of enhancing security. It's now gotten to the point where the United States National Institute for Standards and Technology (NIST) has drafted new guidelines for passwords for the public sector. These guidelines are surprisingly progressive. They eliminate periodic password changes and remove imposed password complexity; instead, passwords will be checked directly against a list of commonly-used, expected, or compromised passwords. This way, users will be prevented from creating passwords like "12345678." No exact ETA yet on when these changes will be implemented, but this is a huge step in combating password fatigue and towards making passwords actually more secure.</p><ul>
<li style="list-style-type:none">
</li><li style="text-align:justify;font-size:16px;font-family:arial;line-height:110%"><a href="https://venturebeat.com/2017/04/18/new-password-guidelines-say-everything-we-thought-about-passwords-is-wrong/" target="_blank">New password guidelines say everything we thought about passwords is wrong </a>[Venture Beat] "Although NIST’s rules are not mandatory for nongovernmental organizations, they usually have a huge influence as many corporate security professionals use them as base standards and best practices when forming policies for their companies."</li>
<li style="text-align:justify;font-size:16px;font-family:arial;line-height:110%"><a href="http://www.csoonline.com/article/3195181/data-protection/vendors-approve-of-nist-password-draft.html" target="_blank">Vendors approve of NIST password draft</a> [CSO Online] "NIST’s Paul Grassi, one of the authors of the report, noted that many of the above guidelines are now only strong suggestions and are not mandatory yet. The public comment period closed on May 1 and now the draft goes through an internal review process. It is expected to be completed by early to mid summer."</li>
<li style="text-align:justify;font-size:16px;font-family:arial;line-height:110%"><a href="https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/" target="_blank">NIST’s new password rules – what you need to know</a> [Naked Security] "Additionally, and this is a big change: SMS should no longer be used in two-factor authentication (2FA). There are many problems with the security of SMS delivery, including malware that can redirect text messages; attacks against the mobile phone network (such as the so-called <a href="https://www.theguardian.com/technology/2016/apr/19/ss7-hack-explained-mobile-phone-vulnerability-snooping-texts-calls" rel="nofollow" target="_blank">SS7 hack</a>); and mobile phone number portability."</li>
<li style="text-align:justify;font-size:16px;font-family:arial;line-height:110%"><a href="https://securityledger.com/2017/05/whats-a-good-password-nist-says-one-that-hasnt-been-stolen/" target="_blank">What’s a Good Password? NIST says One that hasn’t been stolen</a> [The Security Ledger] "Together, the recommendations offer counter-intuitive, but well supported advice on how to coach users to select more secure passwords to protect their accounts. For example, NIST’s guidelines suggest abandoning length and complexity requirements for passwords, such as requiring passwords of a certain length and mandating the use of letters, numbers and special characters in the password. Such practices are the bedrock of most current password regimes, but NIST said they often work at cross purposes with efforts to protect accounts."</li>
</ul>
<div style="text-align:left"> </div>
<p style="text-align:left;font-size:20px;font-family:arial;line-height:110%"><small><strong><em>Articles from the <a href="http://ohioweblibrary.org" target="_blank">Ohio Web Library</a>:</em></strong></small><br>
</p>
<div style="text-align:justify;font-size:16px;font-family:arial;line-height:110%">
<ul> <li><a href="http://proxy.ohiolink.edu:9099/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=bwh&AN=wapo.ce5efca2-5104-11e1-9f89-15d8d29d7ba1&site=ehost-live" target="_blank">NIST seeking to move beyond passwords</a> (Marjorie, C. (2). NIST seeking to move beyond passwords. <i>Washington Post, The</i>.)</li> <li><a href="http://proxy.ohiolink.edu:9099/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=115651433&site=ehost-live" target="_blank">The National Institute of Standards and Technology</a>. (Anders, S. B. (2016). The National Institute of Standards and Technology. <i>CPA Journal</i>, 72-73.)</li> <li><a href="http://search.ebscohost.com.proxy.oplin.org/login.aspx?direct=true&db=cmh&AN=120240170" target="_blank">Your E-mail Password Will Never Be Safe </a>(Pogue, D. (2017). Your E-mail Password Will Never Be Safe. <i>Scientific American</i>, <i>316</i>(1), 24.)</li>
</ul>
</div>
<div style="text-align:left"> </div>
</td>
</tr>
<tr>
<td valign="top" width="760"><span style="font-size:10px;color:rgb(96,96,96);line-height:100%;font-family:verdana"> <hr>
<div style="text-align:justify">The <strong><em>OPLIN 4cast</em></strong> is a weekly compilation of recent headlines, topics, and trends that could impact public libraries. You can subscribe to it in a variety of ways, such as: <br>
</div>
<div style="text-align:left"> </div>
<ul>
<li style="text-align:justify"><strong>RSS feed.</strong> You can receive the OPLIN 4cast via RSS feed by subscribing to the following URL: <a href="http://www.oplin.org/4cast/index.php/?feed=rss2" target="_blank">http://www.oplin.org/4cast/<wbr>index.php/?feed=rss2</a>.</li>
<li style="text-align:justify"><strong>Live Bookmark.</strong> If you're using the Firefox web browser, you can go to the 4cast website (<a href="http://www.oplin.org/4cast/" target="_blank">http://www.oplin.org/4cast/</a>) and click on the orange "radio wave" icon on the right side of the address bar. In Internet Explorer 7, click on the same icon to view or subscribe to the 4cast RSS feed.</li>
<li style="text-align:justify"><strong>E-mail.</strong> You can have the OPLIN 4cast delivered via e-mail (a'la OPLINlist and OPLINtech) by subscribing to the 4cast mailing list at <a href="http://lists.oplin.org/mailman/listinfo/OPLIN4cast" target="_blank">http://lists.oplin.org/<wbr>mailman/listinfo/OPLIN4cast</a>.</li>
</ul> </span> </td>
</tr>
<tr>
<td style="text-align:center;font-family:'Century Gothic',sans-serif;border-top:0px solid rgb(255,255,255);background-color:#2c4587;color:#fff" valign="top" width="760">© 2016 Ohio Public Library Information Network<br> <a href="http://www.slideshare.net/oplin" title="Find us on Slideshare" target="_blank"><img src="http://www.oplin.org/4cast/wp-content/themes/unlimited/assets/images/slideshare3.png" alt="Find us on Slideshare"></a> <a href="http://www.facebook.com/oplin.org" title="Find us on Facebook" target="_blank"><img src="http://www.oplin.org/4cast/wp-content/themes/unlimited/assets/images/facebook_0.png" alt="Find us on Facebook"></a> <a href="https://plus.google.com/107751358238995507967" title="Find us on Google+" target="_blank"><img src="http://www.oplin.org/4cast/wp-content/themes/unlimited/assets/images/google+.png" alt="Find us on Google+"></a> <a href="http://www.twitter.com/oplin" title="Find us on Twitter" target="_blank"><img src="http://www.oplin.org/4cast/wp-content/themes/unlimited/assets/images/twitter_0.png" alt="Find us on Twitter"></a> </td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div></div></div></div></div></div></div>
</div>