https://community.isc2.org/t5/Tech-Talk/How-easy-are-passwords-to-crack-times/m-p/74876#M4620 <P>I watched an ISC2 webinar where Bruce Schneier broke into a computer with MFA/2FA in moments just using cookies.&nbsp; No password was needed.&nbsp; So we should never feel too secure.&nbsp;&nbsp;</P> Fri, 01 Nov 2024 19:50:18 GMT nkeaton 2024-11-01T19:50:18Z https://community.isc2.org/t5/Tech-Talk/How-easy-are-passwords-to-crack-times/m-p/74708#M4613 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1729325928531.jpg" style="width: 400px;"><img src="https://community.isc2.org/t5/image/serverpage/image-id/9152i7329032A027E1C96/image-size/medium?v=v2&amp;px=400" role="button" title="1729325928531.jpg" alt="1729325928531.jpg" /></span></P><P> </P> Thu, 24 Oct 2024 21:51:51 GMT https://community.isc2.org/t5/Tech-Talk/How-easy-are-passwords-to-crack-times/m-p/74708#M4613 dcontesti 2024-10-24T21:51:51Z https://community.isc2.org/t5/Tech-Talk/How-easy-are-passwords-to-crack-times/m-p/74722#M4614 <P>Be cautious with what one takes away from this chart.&nbsp;&nbsp;</P><P>&nbsp;</P><P>For example, it implies that "Password1!" would take 33,000 years to break, which is clearly not the true, given that it shows up in the top-10 list of nearly every "common passwords" list.</P><P>&nbsp;</P><P>One also needs to question if they even believe their own results.&nbsp; Live on earth has existed for 300k years, yet they require 1,000,000k for green.&nbsp;&nbsp;</P><P>&nbsp;</P><P>On the other hand, one can properly use it to learn that a password consisting solely of lowercase letters is equivalent in strength when 25% longer than a "complex" (upper/lower/digit/special) password.&nbsp;&nbsp;</P><P>&nbsp;</P><P>The most important password advise I can give to my CISSP peers is that passwords can not be made "good enough" to protect anything sensitive.&nbsp; Instead, one needs to augment them with multi-factor, completely replace them newer technology (e.g. passkeys), and/or make login pages accessible only from protected/secure locations.</P><P>&nbsp;</P><P>And, for as long as we need to put up with passwords, do read up on what NIST has to say in <A href="https://pages.nist.gov/800-63-3/sp800-63b.html#appA" target="_blank" rel="noopener">Appendix A</A> of their Identity Guidelines.</P> Fri, 25 Oct 2024 18:02:04 GMT https://community.isc2.org/t5/Tech-Talk/How-easy-are-passwords-to-crack-times/m-p/74722#M4614 denbesten 2024-10-25T18:02:04Z https://community.isc2.org/t5/Tech-Talk/How-easy-are-passwords-to-crack-times/m-p/74723#M4615 <P>You may want to be aware of this:&nbsp;&nbsp;<A href="https://www.darkreading.com/identity-access-management-security/nist-drops-password-complexity-mandatory-reset-rules?fbclid=IwY2xjawGIw_9leHRuA2FlbQIxMAABHfGjzZmQLUnp1hKXjRlEMTbEfhh92GMxuWpspBXqK7oKk943pmtixT0GdQ_aem_cWQRw5VPGmdfsWWI-gqavQ" target="_blank" rel="noopener">https://www.darkreading.com/identity-access-management-security/nist-drops-password-complexity-mandatory-reset-rules?fbclid=IwY2xjawGIw_9leHRuA2FlbQIxMAABHfGjzZmQLUnp1hKXjRlEMTbEfhh92GMxuWpspBXqK7oKk943pmtixT0GdQ_aem_cWQRw5VPGmdfsWWI-gqavQ</A>&nbsp; I will paste in the very beginning of it here:&nbsp;</P><P>&nbsp;</P><P class=""><SPAN class="">The National Institute of Standards and Technology (NIST) is no longer recommending using a mixture of character types in passwords or regularly changing passwords.</SPAN></P><P class=""><SPAN class="">NIST's second public draft version of its password guidelines (</SPAN><SPAN class=""><A class="" href="https://pages.nist.gov/800-63-4/sp800-63b.html" target="_blank" rel="noopener">SP 800-63-4</A></SPAN><SPAN class="">) outlines technical requirements as well as recommended best practices for password management and authentication. The latest guidelines instruct credential service providers (CSP) to stop requiring users to set passwords that use specific types or characters or mandating periodic password changes (commonly every 60 or 90 days). Also, CSPs were instructed to stop using knowledge-based authentication or security questions when selecting passwords.</SPAN></P><P class=""><SPAN class="">Other recommendations include:</SPAN></P><DIV class=""><UL class=""><LI><DIV class=""><DIV class=""><P class=""><SPAN class="">CSPs shall require passwords to be minimum of eight characters in length and should require passwords to be a minimum of 15 characters in length.</SPAN></P></DIV></DIV></LI><LI><DIV class=""><DIV class=""><P class=""><SPAN class="">CSPs should allow passwords of a maximum of at least 64 characters.</SPAN></P></DIV></DIV></LI><LI><DIV class=""><DIV class=""><P class=""><SPAN class="">CSPs should allow ASCII and Unicode characters to be included in passwords.</SPAN></P></DIV></DIV></LI></UL></DIV> Fri, 25 Oct 2024 18:47:21 GMT https://community.isc2.org/t5/Tech-Talk/How-easy-are-passwords-to-crack-times/m-p/74723#M4615 nkeaton 2024-10-25T18:47:21Z https://community.isc2.org/t5/Tech-Talk/How-easy-are-passwords-to-crack-times/m-p/74729#M4616 <P>The National Cyber Security Centre recommends 3 random words:</P><P><A href="https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words" target="_blank">https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words</A></P><P>&nbsp;</P><P>This makes it relatively easy to set a 15 to 20 character password that you will remember.</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 26 Oct 2024 11:14:59 GMT https://community.isc2.org/t5/Tech-Talk/How-easy-are-passwords-to-crack-times/m-p/74729#M4616 Steve-Wilme 2024-10-26T11:14:59Z https://community.isc2.org/t5/Tech-Talk/How-easy-are-passwords-to-crack-times/m-p/74749#M4618 <P><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/253792811">@nkeaton</a>&nbsp;the best advice I ever heard about passwords is that they should include as much randomization as possible when they are composed.</P><P>&nbsp;</P><P>But that's something which is nearly impossible to scale for a single user, at least without using a password manager.</P><P>&nbsp;</P><P>So when NIST first changed its guidelines in the 2010's (which discouraged <EM>complexity</EM> and promoted <EM>length</EM>), as&nbsp;<a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/783051913">@Steve-Wilme</a>&nbsp;said, changing to passphrases with random words seemed like a very good solution.&nbsp; Random, unrelated words seems to scale a little easier for people who need a strong password in a pinch.</P><P>&nbsp;</P><P>That's my two cents (which now costs six cents each to make).</P> Mon, 28 Oct 2024 15:17:19 GMT https://community.isc2.org/t5/Tech-Talk/How-easy-are-passwords-to-crack-times/m-p/74749#M4618 ericgeater 2024-10-28T15:17:19Z https://community.isc2.org/t5/Tech-Talk/How-easy-are-passwords-to-crack-times/m-p/74819#M4619 <P>The other thing to keep in mind is that where MFA cannot be deployed, longer passwords are beginning to be mandated, for example by the PCI SSC.&nbsp;&nbsp;</P><P>&nbsp;</P> Thu, 31 Oct 2024 08:03:59 GMT https://community.isc2.org/t5/Tech-Talk/How-easy-are-passwords-to-crack-times/m-p/74819#M4619 Steve-Wilme 2024-10-31T08:03:59Z https://community.isc2.org/t5/Tech-Talk/How-easy-are-passwords-to-crack-times/m-p/74876#M4620 <P>I watched an ISC2 webinar where Bruce Schneier broke into a computer with MFA/2FA in moments just using cookies.&nbsp; No password was needed.&nbsp; So we should never feel too secure.&nbsp;&nbsp;</P> Fri, 01 Nov 2024 19:50:18 GMT https://community.isc2.org/t5/Tech-Talk/How-easy-are-passwords-to-crack-times/m-p/74876#M4620 nkeaton 2024-11-01T19:50:18Z https://community.isc2.org/t5/Tech-Talk/How-easy-are-passwords-to-crack-times/m-p/74913#M4624 <P>That's just an example of a technology failing.&nbsp; A password was still necessary to protect the resource, but its output was improperly stored, or was manipulated in ways which should have been prevented.</P> Mon, 04 Nov 2024 04:03:39 GMT https://community.isc2.org/t5/Tech-Talk/How-easy-are-passwords-to-crack-times/m-p/74913#M4624 ericgeater 2024-11-04T04:03:39Z