Welcome to WebmasterWorld Guest from 54.221.131.67

Forum Moderators: phranque

Message Too Old, No Replies

If you ask for a password or personal info.

NIST Digital Identity Guidelines Draft for Comment

     
2:10 am on Feb 5, 2017 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 25, 2003
posts:1107
votes: 264


For those of you interested in such things:
NIST (National Institute of Standards and Technology), US Department of Commerce
NIST SP 800-63-3 Public Draft
Digital Identity Guidelines [pages.nist.gov]: Public Comment Period, 30-January - 31-March-2017

The four major linked resources for reading/consideration:
* Digital Identity Guidelines [pages.nist.gov]
* Enrollment & Identity Proofing [pages.nist.gov]
* Authentication & Lifecycle Management [pages.nist.gov]
* Federation & Assertions [pages.nist.gov]

For those of you not at all interested in the breadth and depth, the nitty gritty and banality of government publications a few paraphrased extractions on passwords for you to consider:
* passwords should be an absolute minimum of 8-characters, up to a maximum of 64. The more sensitive/personal the data the longer the password.

* passphrases should accept all/common punctuation and languages.

* passwords should accept all ASCII and UNICODE printable characters including spaces and emoji.

* passwords must be hashed, salted, and stretched for storage.
---an absolute minimum salt of 32 bits;
---a keyed HMAC (Hash Message Authentication Code) hash using (Secure Hashing Algorithm) SHA-2 or SHA-3;
Note: there are still ~500,000 SHA-1 certs in existence.
Note: Chrome now treats connections with SHA-1 certs that expired last year as HTTP not HTTPS.
Note: Chrome now warns on SHA-1 certs expiring this year as weak.
---and an absolute minimum 10,000 iterations with PBKDF2 (Password-Based Key Derivation Function 2 aka the stretching algorithm).

* NO NO NO aka DO NOT use:
---password hints
---Knowledge Based Authentication (KBA)
---password expiration except when forgotten, phished, or have reason to suspect pw DB has been hacked.
---Short Message Service (SMS) for two-factor authentication (2FA).

What this means for those whose sites use passwords is that you should consider upping your game.

What this means for those of you that handle/store personal/sensitive data/information is that you might want to do some reading...
3:02 am on Feb 5, 2017 (gmt 0)

Senior Member from KZ 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2938
votes: 24


Very interesting read, thanks for the links. It gives some fresh insights about how to properly implement authentication. Thanks also for the paraphrased extractions. I am a little bit surprised about phasing out SMS service over POTS. Have to read that document carefully.
5:29 am on Feb 5, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14435
votes: 576


What, I hesitate to ask, is Knowledge Based Authentication? Please say it isn't those pictorial captchas where they say "mark all the pictures of Switzerland" and they show you eight sampans and a junk.

:: vague mental association with old-style Broderbund copy protection that involved references to pages in some physical book that nobody would ever keep after its publication year ::
6:29 am on Feb 5, 2017 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:3565
votes: 197


I don't know for certain but Knowledge Based Authentication could refer to those "secret" questions some places require you to set in your account. You know, the "What model was your first car?" or "What was your first grade teacher's last name?" kind of questions.

I've been having a problem logging in at a financial services account where each month they refuse to let me in using the new password I had to set the month before when I tried to log in. Every month jumping through hoops to reset the password I just reset a month ago is getting pretty irritating. When I wrote to ask them about it, they tell me it is because I don't have cookies. Baloney. I've been using their services since about 2002 online and this just started in November. Maybe next time I'll just send them a link to this info - part 10 about "User Experience". ;)