JamieV
-
Posts
3 -
Joined
-
Last visited
Content Type
Profiles
Forums
Downloads
Store
Gallery
Bug Reports
Documentation
Landing
Posts posted by JamieV
-
-
15 hours ago, ljm42 said:
> Drop complexity requirements
We realize that complexity requirements are controversial. But upper/lower/number doesn't seem that harsh? The good news is that phrases still work, you just need to tweak them slightly. Here is a site that shows how poor an all lowercase 12 character password is, and the value of using a larger character set:
https://passwordbits.com/password-cracking-calculator/It is not controversial, it is wrong. You calculator is just that, a calculator that states how many combinations there are available. Unfortunately, by enforcing complexity you have just removed any password from the available pool that does not meet your complexity requirements and drastically reduced the amount of time needed. However, this is pretty moot now as brute force password cracking is only really available once the password DB has been obtained. Most online compromises are now performed by using password breach lists (Password spray attacks) so checking that passwords are not on a breach list is really important - you are not doing this. The password Mississippi1 complies to your complexity rules and can be set as a password but it exists in the top 100 most common passwords.
Removing complexity makes passwords easier to remember and encouraging pass phrases makes passwords easier to remember and harder to crack. Users mostly do the same thing when they create a password with complexity, they add a number to the end, or a ! and the bad actors know this.
https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/
What can you do to improve:- Add federation to allow user of Google, Microsoft or Apple accounts to signin - one less password for a user to remember and these companies are very good at security.
- Enable passkeys - The next gen in internet security
- Add compromised password checking - use a service such as https://haveibeenpwned.com/API/v3#PwnedPasswords which will stop any compromised password being set and therefore drastically reducing the success of password spray attacks.
- Remove complexity to increase the available number of passwords and make them easier to remember.
Side note, happy to sell you some consultancy on this
-
1
-
1
-
Why on earth are you implementing archaic complexity requirements? Do you not follow the best practices for Identity - password complexity DOES NOT improve security, in fact there is strong evidence to prove it weakens security.
Please, please, please, follow best practices:
Use a minimum password length of at least 12 and maximum at least 64Drop complexity requirements
Check passwords against a compromised password list (e.g. haveibeenpwned.com)
Encourage the use of pass phrases. "robot banana gunmetal" is a lot more secure than "Pa$$w0rd1" which meets your complexity rules - https://haveibeenpwned.com/Passwords
Don't just take my word for it though:
https://letmegooglethat.com/?q=modern+password+requirements
-
2
-
2
-
1
-
Unraid.net Account Upgrades
in Announcements
Posted
Yes, you're correct but as you also say this is only really for brute force which assumes you have lost your password DB. Most attacks are either phishing or spray attacks now using compromised passwords.