NJ Courts Impose Ridiculous Password Policy 'To Comply With NIST' That Does Exactly What NIST Says Not To Do

from the the-poor-online-security-guardin'-state dept

As a New Jersey native I know how tempting it is for people to gratuitously bash my home state. But, you know, sometimes it really does have it coming.

In this case it’s because of the recent announcement of a new password policy for all of the New Jersey courts’ online systems ? ranging from e-filing systems for the courts to the online attorney registration system ? that will now require passwords to be changed every 90 days.

This notice is to advise that the New Jersey Judiciary is implementing an additional information security measure for those individuals who use Judiciary web-based applications, in particular, attorney registration, eCourts, eCDR, eTRO, eJOC, eVNF, EM, MACS, and DVCR. The new security requirement – password synchronization or p-:-synch – will require users to electronically reset their passwords every 90 days.

For reasons explained below, this new policy is a terrible idea. But what makes it particularly risible is that the New Jersey judiciary is claiming this change is being implemented in order to comply with NIST.

This requirement is being added to ensure that our systems and data are protected and secure consistent with industry security standards (National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)).

The first problem here, of course, is that this general allusion to NIST is not helpful. If NIST has something specific to say that the courts are relying on, then the courts should specially say what it is. Courts would never accept these sorts of vague hand-wavy references to authority in matters before them. Assertions always require a citation to the support upon which they are predicated so that they can be reviewed for accuracy and reasonableness. Instead the New Jersey judiciary here expects us to presume this new policy is both, when in fact it is neither.

The reality is that the NIST Cybersecurity Framework does not even mention the word “password,” let alone any sort of 90-day expiration requirement. Moreover, what NIST does actually say about passwords is that they should not be made to expire. In particular, the New Jersey judiciary should direct its attention to Special Publication 800-63B, which expressly says:

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).

That same section of the Special Publication also says that, “Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets” because, as a NIST study noted, it tends to reduce overall security hygiene. Guess what else the new New Jersey password policy does:

Users must select passwords that are no more than eight (8) characters long and contain at least one capital letter, one lower case letter, one numeral, and one of the enumerated special characters.

It also gets worse, because as part of this password protocol it will require security questions in order to recover lost passwords.

Additionally, this policy change will require that each user choose and answer three personal security questions that will later allow the user to reset their own password should their account become disabled, for example, because of an expired password. The answers to the three security questions should be kept confidential in order to reduce the risk of unauthorized access and allow for most password resets to be done electronically.

Security questions are themselves a questionable security practice because they are often built around information that, especially in a world of ubiquitous social media, may not be private.

From their dangerous guessability to the difficulty of changing them after a major breach like Yahoo’s, security questions have proven to be deeply inadequate as contingency mechanisms for passwords. They’re meant to be a reliable last-ditch recovery feature: Even if you forget a complicated password, the thinking goes, you won’t forget your mother’s maiden name or the city you were born in. But by relying on factual data that was never meant to be kept secret in the first place?web and social media searches can often reveal where someone grew up or what the make of their first car was?the approach puts accounts at risk. And since your first pet’s name never changes, your answers to security questions can be instantly compromised across many digital services if they are revealed through digital snooping or a data breach.

The Wired article this passage came from is already two years old. Far from New Jersey imposing an “industry standard” password protocol, it is instead imposing one that is outdated and discredited, which stands to undermine its systems security, rather than enhance it.

And largely, it seems, because it does not seem to understand the unique needs of its users ? who are not all the same. Some may log into these sites daily, while others (like me) only once a year when it’s time to pay our bar dues. (What does this 90-day reset requirement mean for an annual-only user?) Furthermore, although things have been improving over the years, lawyers are notoriously non-technical. They are busy and stressed with little time to waste wrangling with the systems they need to use to do their job on behalf of their clients. And they are often dependent on vendors, secretaries, and other third parties to act on their behalf, which frequently results in credential sharing. In short, the New Jersey legal community has some particular (and varied) security needs, which all need to be understood and appropriately responded to, in order to improve systems security overall for everyone.

But that’s not what the New Jersey courts have opted to do. Instead they’ve imposed a sub-market, ill-tailored, laborious, and needlessly demanding policy on their users, and then blamed it on NIST. But as yet another NIST study explains, security is only enhanced when users can respect the policy enforcing it. The more arbitrary and frustrating it is, the more risky the user behavior, and the weaker the security protocol becomes.

The key finding of this study is that employees? attitudes toward the rationale be-hind cybersecurity policies are statistically significant with their password behaviors and experiences. Positive attitudes are related to more secure behaviors such as choosing stronger passwords and writing down passwords less often, less frustration with authentication procedures, and better understanding and respecting the significance to protect passwords and system security.

As NIST noted in a summary of the study, “‘security fatigue’ can cause computer users to feel hopeless and act recklessly.” Yet here are the New Jersey courts, expressly implementing, for no good reason, a purposefully cumbersome and frustrating policy, one that could hardly be better calculated to overwhelm users, and which, despite its claims to the contrary, is far from a respected industry norm.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “NJ Courts Impose Ridiculous Password Policy 'To Comply With NIST' That Does Exactly What NIST Says Not To Do”

Subscribe: RSS Leave a comment
Paul Brinker (profile) says:

Same Policy

I work in an IT field, I find that the first thing I do when allowed is to turn off 90 day password policies.

The only thing this has done is made my passwords cycle over a few years. This is still less secure then the alternative of a long passphrase made from all lower case letters.

“Thisismyverylongpassword” is more secure then !@ABCDe

ShadowNinja (profile) says:

Re: Same Policy

I’ve heard stories of workplaces with this policy.

A lot of employees did one of two things to remember their constantly changing passwords:

  • Wrote their passwords down and left it somewhere on their desk. (this is referred to as the 3 feet rule, where if you throw a bunch of arbitrary password rules on that make it hard to remember your password users will leave their written down password within 3 feet of their desk chair)
  • Used passwords like "Summer2018!", "Spring2018!" to make it easy to remember.
Bergman (profile) says:

Re: Re: Re: Same Policy

So they switch to “Sum2018!” and “Spr2018!”. And since a season is about 90 days, that gives them a password that meets all the new password requirements of the NJ courts.

And the hackers win too, because that password is guessable by the sort of botnets serious hackers use for this sort of thing in less than 4 hours.

Paul Brinker (profile) says:

Re: Joisey is DOOMED!

It’s not a very reasonable policy. It mostly results in people clicking on the reset password link all the time.

Reset password links are often the weak link. Mostly because they make them super easy to use. Firms are really bad at people calling in on them as well. All it takes is 1 call to steal someones account, a call to change the password.

ShadowNinja (profile) says:

Re: Joisey is DOOMED!

You should read this famous XKCD comic on password strength

And the worst part is a bunch of sites still don’t allow CorrectHorseBatteryStaple as a password because of it violating those password rules. Which makes requiring password switches every so many days even worse for all the reasons this comic highlights.

That One Guy (profile) says:

Re: Re: Joisey is DOOMED!

To be fair were I in charge of setting password rules on a site I wouldn’t allow that one anyway, because at this point you can be sure anyone trying to crack an account would try that one early on(if not first) just in case.

That point that many sites still have stupid password rules on the other hand stands.

Ninja (profile) says:

Re: Joisey is DOOMED!

If you had informed yourself about password policies before posting your petty attacks you’d have realized that, empirically speaking, people tend to fuck up when you impose expiration dates on passwords by choosing sequential, dumb keys their biological, limited memories can actually remember. You can visit Troy Hunt’s blog for very good tips and Have You Been Pwned site for more insight on bad password practices and how common they are.

Don’t make a fool of yourself.

Anonymous Coward says:

Re: Joisey is DOOMED!

OR, it may be a reasonable policy for site that has many people using it briefly over short periods of time in a given case, then leaving the passwords lying around.

No, that’s never a reasonable policy. Especially when the max character limit is a measly 8 characters. If it’s only going to be used briefly for a short period, then the better way to handle it is to disable their account automatically after a few days, once they’ve done what they needed to. Or grant access using time limited, temporary credentials, and require re-registration each time they need access. Or another option, issue security tokens.


No, they just know better than you.

Basically I guess what I’m getting at is almost ANY solution is better than the nonsense you’ve proposed. Try educating yourself on security before you make a fool of yourself. Oops, too late.

Ted the IT Guy (profile) says:

Security Theater

I see this in so many large organizations. A 90 day password rotation cycle is a complete farce. Arbitrary complexity requirements/limits and password histories make it that much worse for users, who just tune out these IT policies. What really gets me is when they limit the password length to 8 or 9 characters; my normal passwords are usually at least 15 characters long and I have many over 20.

Users end up with a piece of paper hidden somewhere at their desk or in their wallet/purse with the list of passwords they rotate through. To make matters worse, they are usually garbage passwords like Sprn$018, Smmr$018, Atmn$018 and Wntr$019.

Don’t even get me started on password reset procedures.

btr1701 (profile) says:

Password Lunacy

My agency does this same nonsense with passwords, but it’s even worse. I would *love* to have 90 days with a password. Instead, we’re down to 45 days (a month and a half) before we have to change, and our passwords are required to be a *minimum* of 16 characters, and with dozens of rules specifically designed to prevent the password from being anything easily memorable, resulting in everything but literally something that looks like this– JtwOPm1*%20Mw– being rejected.

Now add on top of that the fact that we have multiple systems, all with their own different password rules and change schedules.

Since no one except Rainman can remember strings of gibberish characters like that which change every 45 days, the end result is a Post-It on everyone’s computer with the passwords written down on them, which defeats the entire purpose of this whole blinkered system.

Wnt says:

Designed to fail on purpose

“Security questions” are not *accidentally* stupid, but *intentionally* stupid. If any site using them had any intent to protect your security, they would let you type in your own security question to answer. Like, duh. Instead, they give you a choice of a few things that are easier for a hacker to guess than for you to remember.

Now you can try to sell me a conspiracy theory that says that EVERY SINGLE SITE and organization ALL fail to grasp this basic logic … or you can admit that the purpose of security questions is to be hacked.

That leaves only one question: are they meant to be hacked only by cops/private investigators/spies etc. who have some “good reason” to prowl through your account without some official rigamorale like a warrant? Or are they designed to be hacked by organized crime in exchange for a simple payment? That I can’t be totally sure about. The abundance of overpaid spies supports the former, while the intentional profit centers built into U.S. drugs policy and prostitution policy favors the latter. It’s also possible the two are indistinguishable even in principle.

Sharur says:

Re: Designed to fail on purpose

Not a conspiracy:

The purpose of security questions is that WHEN they get hacked, they can waive the security questions in front of a technically illiterate decision maker, to say “yes, we did due diligence and made a reasonable effort to secure the hacked data”, and have them buy it, even if they are sending passwords over email and storing them in plaintext.

Anonymous Coward says:

Re: Designed to fail on purpose

Now you can try to sell me a conspiracy theory that says that EVERY SINGLE SITE and organization ALL fail to grasp this basic logic

"Never attribute to malice that which is adequately explained by stupidity."

Given our current political and cultural climate, is it really THAT surprising many sites and organizations fail at security?

Plus you also have to take into account that security wasn’t really that big of a thing in the early days of computing, at least not in the public sector and many of these sites and organizations are still playing catch up in that respect.

Why do some businesses continue to refuse to update their internal IT operating systems and software. Some businesses are still operating on Windows XP for crying out loud. It’s not because they’re deliberately making their businesses insecure, they just don’t understand the ramifications or aren’t willing to spend the money and effort to actually be responsible. Being irresponsible is cheaper and easier and they are gambling they won’t have any breaches.

That said, I think we are seeing a paradigm shift, especially with major organizations like Target and Equifax being hacked, they’re realizing they can no longer take security so lightly, but now they’re playing catch up.

And it’s not "EVERY SINGLE SITE and organization". There are ones out there that do get it right. Are they in the minority? Absolutely but, like I said, that’s starting to change. More places are supporting and/or requiring MFA, password policies are being updated to be more robust, along with some sites doing away with the secret questions.

Case in point, have you ever tried to recover your gmail account? The information they ask for is crazy specific. I have a throwaway gmail account I created years ago that I now can’t get access to because I forgot my password and the information Google wants to know before granting me access is stuff I don’t even remember. Like how long ago did you create it and when was the last time you accessed it, among others. Hell if I know the last time I accessed it was, sometime way back in high school and early college, but that’s a range of at least 4 – 6 years. That’s too broad and Google denies me access because I can’t be more specific.

Wnt says:

Re: Re: Designed to fail on purpose

That bogus “Hanlon rule” probably was invented by the CIA. In a world full of robo-signers, Russian trolls, botnets, and spy agencies, where even the proles entertain themselves learning how to lie to each other on Survivor type shows, I am told five thousand times to believe in pure stupidity without a trace of malice … even though almost everything any government or company does any more is malicious.

Next week a bunch of first graders are going to get put on the school bus and there’s going to be some little darling who gets whacked on the back of the head before he gets half a block from Mommy. “Oh, sorry, it was an accident.” Then it’s a kick to the back of the seat and cupcake icing in his hair. And he’s going to get off the bus to be told by some teacher “Never attribute to malice what can be … called an accident.” Yeah. Uh-huh. Right. You know, a first grader wouldn’t believe the second grader behind him was too stupid to know what he’s doing. SO WHY SHOULD I BELIEVE THAT A BUNCH OF SELF-PROCLAIMED COMPUTER GENIUSES MAKING WAY MORE THAN I DO ARE DOING THE SAME IDIOTIC THINGS OVER AND OVER AGAIN BY ACCIDENT???

Anonymous Coward says:

Re: Re: Re: Designed to fail on purpose

That bogus "Hanlon rule" probably was invented by the CIA.

Considering the concept, if not the label, has been around long before the CIA, you’d be wrong in that assumption.

even though almost everything any government or company does any more is malicious.

If you look for conspiracy theories you will absolutely find them. Sorry to burst your bubble but the human race is a bunch of bumbling idiots. We do stupid stuff ALL THE TIME. If you don’t believe me look at history. Automatically assuming anything any government or corporation does is inherently malicious is, well, stupid. Look at the facts and weigh them on their merits.

If it was truly the case that these entities were deliberately making it easy to hack your accounts, then 1) why are so many of them implementing more security features that are much more difficult to hack such as MFA, physical security tokens, etc… and 2) if it was all a giant conspiracy then why hasn’t it come to light? Seriously. You can’t honestly sit there and tell me that hundreds of thousands of corporations have all plotted together to deliberately let hackers into your accounts and NO ONE has ever come forward with claims or proof of it? We’re talking thousands of people who would have to be in the know for decades, there’s no way that never gets out.

some little darling who gets whacked on the back of the head before he gets half a block from Mommy. "Oh, sorry, it was an accident." Then it’s a kick to the back of the seat and cupcake icing in his hair.

I’m so sorry you were bullied as a child. Maybe try to let it go now?

"Never attribute to malice what can be … called an accident."

Intellectually dishonest much? There’s a difference between "called an accident" and "explained by stupidity". Maybe try not re-wording things to fit your narrative?

A first grader deliberately doing those things is different than them happening by accident. And in those cases you bring up it’s pretty easy to tell whether it was done maliciously or accidentally. Hanlon’s Razor comes in when you can’t easily identify whether it was malicious or stupidity. And since you think it’s so obvious this is all done maliciously you must have some pretty obvious proof, right? Leaked emails? Corporate documents? Court cases? Eye-witness accounts? Anything? Bueller?

You know, a first grader wouldn’t believe the second grader behind him was too stupid to know what he’s doing.

No, and neither would most adults because there is a BIG difference in evidence if something was done deliberately or by accident. Whacking someone on the back of the head, kicking their seat, and smearing frosting in their hair doesn’t happen ordinarily, but if the bus hit a bump and the cupcake went flying was that malicious too? See, your result can be labeled the same if you ignore everything that led up to it.

Besides that, your schoolyard examples are really apples to oranges to what we’re talking about here.


Whoever said that computer geniuses were in charge of every single corporation out there? Do you have proof of this?

And even if they are computer geniuses, that doesn’t make them security geniuses as well.

And finally, because people are idiots and make mistakes, even if they are "self-proclaimed genius" (note the self-proclaimed part).

Come on man, this isn’t hard.

ECA (profile) says:

HOW long has it taken..

For the MAJOR sites to learn the lessons about passwords??

There is one site I need to pay bills, that I ALWAYS have to redo, almost every month. It cant ID’ my computer.

A Name(dont think of it as NAME, Make it Any word you want)

A REASONABLE password(Patterns work better then anything else, I have customers that have 5 email accounts they cant figure the password for)(and have Never forgotten the one I created on their computer)

DEDICATED Phone contact Phone number, OR 2.
An email address, NOT from your ISP.. OR 2.

1-2 Secret words.. I say words, because the Questions mean nothing…its the Answer that Counts. Dont give name of your Dog, Parents, or your School…MAke up a BETTER WORD.

NEVER ask for your password..ASK for it to be sent to your EMAIL..PHONE, or other location that you have already set.

MANY sites keep a list of changes, you have made to your account and Data.. Which is GREAT. BUT pay attention to any EMAIL warning..
NEVER CLICK AN EMAIL YOU DONT KNOW..GO DIRECT TO THE SITE YOURSELF. If there is a problem CONTACT THEM..Be aware you will be asked REAL questions..

Anonymous Anonymous Coward (profile) says:

Easier, and safer to do.

Maybe a better way would be to provide a link to a password manager, tell them how to set the password length to 32 characters, and tell them to use the password managers Manage Password Policy function, with correct settings and then the generate function which will give a fairly random but properly complex password, that is then saved. The only password the user then needs to to their password manager.

Agammamon says:

Something else the NJ courts should be asking – who the hell decided that NIST compliance was mandatory? Or even a good thing?

Its like someone in IT management decided to pick a random standard publisher and impose it on the courts state-wide. But NIST compliance won’t save you from liability and so – why do that rather than an in-house standard that you developed with the needs and peculiarities of your users in mind?

Derek Kerton (profile) says:

Longer Passwords Are Better

“Users must select passwords that are no more than eight (8) characters long…”

If Jersey is not allowing passwords longer than 8 chars, I think we can all agree that this is stupid, not user friendly, and also less secure than longer passwords.

And, of course it’s, AGAIN, the opposite of NIST recommendations.

From NIST 800-63B:
“Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length.”

Ninja (profile) says:

Re: Longer Passwords Are Better

Some say even this limit is arbitrary. Services should allow password managers and impose no restrictions at all if possible while also providing solid 2FA. Google has reported that no employee has fallen victim of phishing attacks since they made the use of physical keys as a 2FA (guess they re using Yubico stuff).

NJ screwed up. Badly. If this came from their iT staff then they should fire the ones responsible.

Kev (profile) says:

NIST 800-53 Control Set

IA-5 is the relevant NIST control. Here’s the control enhancement section and as you can see, it’s all defined by the organization:

Control Enhancements:
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.

I think what they may actually be referring to is CJIS, not NIST. Here is the relevant control from that set: Password
Agencies shall follow the secure password attributes, below, to authenticate an individual’s unique ID. Passwords shall:
1. Be a minimum length of eight (8) characters on all systems.
2. Not be a dictionary word or proper name.
3. Not be the same as the Userid.
4. Expire within a maximum of 90 calendar days.
5. Not be identical to the previous ten (10) passwords.
6. Not be transmitted in the clear outside the secure location.
7. Not be displayed when entered.

Either way, it’s a shit policy.

Jeff R says:

Re: NIST 800-53 Control Set

That is the older, superseded NIST guidance.

The new NIST guidance, published June 2017, does not require password categories, explicitly discourages (SHOULD NOT) arbitrary password change requirements (eg, password expiration) with forced password changes only encouraged when there is evidence that the password has been compromised.

They also recommend that the entered password be allowed to be displayed at the request of the user (for example, when they are alone, etc) to reduce typographical errors in password entry.

In fact, most of the recommendations they previously made have been rescinded.

tom (profile) says:

Seems we might have identified the bureaucratic lag in NJ at about 10 years as that seems to be when those password standards were last fairly current.

And I have a deep hate for ‘Security Questions’. Years ago, we had an employee leave, on good terms, from a remote office. A few months later, we had to call the ISP to change something with the account. They required the correct answer to the Security Question answered several years earlier by the recently departed employee. Ever had to guess the Favorite Restaurant of a former employee that worked in a town 50 miles away?

Anonymous Coward says:

I wish i could say Russia wasn't involved.

Quote: The more arbitrary and frustrating it is, the more risky the user behavior, and the weaker the security protocol becomes.

How in the world is an eight didgit,basic alphanumeric pascode supose to be more secure
Makes you wonder who implemented the change in protocol and wherether or not they were bribed by or unfluenced by Russian in some manner.

Anonymous Coward says:

Re: Writing Down Passwords Is Fine

You know how to keep your credit cards and your keys and your cash safe from being lost or stolen, right?

Stealing credit cards is not so useful anymore, because people will notice quickly and cancel them, plus they require PINs. It’s more practical to snap a discreet photograph of the card, including security code, and sell it online.

And in fact, people don’t know how to keep their keys safe. Some people wear them fully-visible on an exposed keychain. I understand it’s trendy now to post pictures of one’s house keys when buying a house. Do you remember when the TSA key bitting leaked similarly? (Nevermind that one would have had millions of cheap cylinders to reverse-engineer even if it hadn’t.)

Christenson says:

Personal password policy

I *ASSUME* that etc/password will be stolen, and that any password under 16 or so random characters will be rendered in the clear.

Likewise, truthful answers to secondary questions will always be discoverable and are likely to leak.

Therefore, a 16 character random string which increments my favorite punctuation character is what I use to protect a work account, and the answers to the secondary questions are random strings kept in a little black book.

But… dear courts, do make sure that whatever passwords are required for actually needs protection and isn’t just a public record!

Anonymous Coward says:

Re: Re: Re: Personal password policy

You also assume the thief is capable of decrypting same, not that it is difficult to do but not many are willing to spend the time unless there is something of known value to be stolen from you. The time it takes to decrypt is (should be) proportional to the complexity of the password.

Christenson says:

Re: Re: Re:2 Personal password policy

Umm, that complexity is exponential in the length of the password…which is why I think 16 characters (and not, say 24 or 48) is good enough.
I started with the assumption that whatever I was protecting was valuable enough to steal. No password at all has been good enough for me on Techdirt, for example. If it’s just a crap account, like a place I ask for tech support, I don’t bother with password security.

Muhammad Abdullah (user link) says:


its help

Whiteboard animation videos are very useful but it’s not so easy to create you have to pay something and also your attention too.
You can use these tools to learn making a white board animation video.
Go Animate
Pow Toon
I am also sharing links that would provide you with complete learning lesson on how to make whiteboard video.
I can create awesome and professional whiteboard animation vdieo for you in only $5 Ooppss ..! Isn’t great offer ? Off course it is contact me now and i ‘ll start your work from now.
Keywords are the foundation of your website content. The topic of every page and what it is about should tie directly back to a keyword or keyword phrase. Since keywords are topics, they are also prevalent when creating offers and emails.
Keywords help visitors and potential customers understand the purpose of your page. When reading the content of the page, a visitor will often scan for the keywords they searched for.
Keywords help search engines understand the purpose of your page. When a search engine crawls your website pages to index them it will parse the keywords on the page to determine the purpose of your pages.
I ‘ll research lot of new keywords for your business which can be rank easily and you can bring your website on Google #1st page get in touch us..!


orbitalinsertion (profile) says:

I was actually very pleasantly surprised recently in receiving an email from my bank suggesting some actually good password practices. One item included something that i always do: Answer your “security questions” without any regard for the question. I was shocked, to say the least. What is your mother’s maiden name? Wrenchgoingstravinskyxiexieburger.

Mason Wheeler (profile) says:

That same section of the Special Publication also says that, "Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets" because, as a NIST study noted, it tends to reduce overall security hygiene.

This is a very important principle to remember when designing such systems: "Security at the expense of usability comes at the expense of security."

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...