undefined | Better HN

0 pointsjwr4y ago0 comments

In these cases, it makes sense to point people to NIST Special Publication 800-63B (Digital Identity Guidelines) https://pages.nist.gov/800-63-3/sp800-63b.html — their guidelines are pretty good and eliminate much of the braindead nonsense that is considered "accepted practice in the industry".

0 comments

gnud4y ago

Nice read! Specifically, under 10.1:

> Offer the option to display text during entry, as masked text entry is error-prone.

And under 10.2.1:

> Support copy and paste functionality in fields for entering memorized secrets, including passphrases.

(... snip ...)

> Allow at least 64 characters in length to support the use of passphrases. Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization. Do not impose other composition rules (e.g. mixtures of different character types) on memorized secrets. Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise. (See Section 5.1.1 for additional information).

vunuxodo4y ago

Taken to the extreme is the US Government's TreasuryDirect website, where individuals can buy savings bonds. Instead of allowing you to type your password, they render a "virtual keyboard" that you have to use your mouse to click the keys one by one.

Oh, and that password? Not case sensitive.

jolux4y ago

> Oh, and that password? Not case sensitive.

What, you expect them to make a case-sensitive version of NTFS just to store your password??

emodendroket4y ago

NTFS is case-sensitive.

Agent7664y ago

They made a case-insensitive version of NTFS just to store your password

bradknowles4y ago

It is case-preserving, but not case-sensitive.

So, it will show you what was entered and make you think it’s case-sensitive, but then when you go to do the comparison, it actually ignores case.

The stupid thing is that MacOS was also case-preserving but not case-sensitive for a long time.

2 more replies

jolux4y ago

I think it’s internally case sensitive and provides case insensitive APIs to users, right?

1 more reply

ratcline4y ago

I heard that systems like this were designed when there was a point in time(this may just be erroneous and such a time never actually existed) where keyloggers were more common than RATs, so government websites would often have this requirement due to the higher probability of access from public computers(library, etc), since that was also a point in time when fewer people had their own at home.

Slump4y ago

Hard to believe it requires a mouse. The government (everyone really but especially the government) generally would need to follow basic ADA guidelines...

juped4y ago

Yes, the authors of that document did an great public service in letting us point to an "official government standard".

j / k navigate · click thread line to collapse

0 comments

gnud4y ago

Nice read! Specifically, under 10.1:

> Offer the option to display text during entry, as masked text entry is error-prone.

And under 10.2.1:

> Support copy and paste functionality in fields for entering memorized secrets, including passphrases.

(... snip ...)

vunuxodo4y ago

Oh, and that password? Not case sensitive.

jolux4y ago

> Oh, and that password? Not case sensitive.

What, you expect them to make a case-sensitive version of NTFS just to store your password??

emodendroket4y ago

NTFS is case-sensitive.

Agent7664y ago

They made a case-insensitive version of NTFS just to store your password

bradknowles4y ago

It is case-preserving, but not case-sensitive.

So, it will show you what was entered and make you think it’s case-sensitive, but then when you go to do the comparison, it actually ignores case.

The stupid thing is that MacOS was also case-preserving but not case-sensitive for a long time.

2 more replies

jolux4y ago

I think it’s internally case sensitive and provides case insensitive APIs to users, right?

1 more reply

ratcline4y ago

Slump4y ago

Hard to believe it requires a mouse. The government (everyone really but especially the government) generally would need to follow basic ADA guidelines...

juped4y ago

Yes, the authors of that document did an great public service in letting us point to an "official government standard".

j / k navigate · click thread line to collapse