NIST updating password recommendations

The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!

(Full story is behind the Wall Street Journal’s pay wall.)

You’ve used P@ssw0rds like this for years. It’s what NIST recommended for the Federal Government in 2003 and major corporations and universities picked up the guidance and set their password requirements to match.

Mr. Burr, who once programmed Army mainframe computers during the Vietnam War, had wanted to base his advice on real-world password data. But back in 2003, there just wasn’t much to find, and he said he was under pressure to publish guidance quickly.

He looked for some real-world data to see what people were doing.

He asked the computer administrators at NIST if they would let him have a look at the actual passwords on their network. They refused to share them, he said, citing privacy concerns.

Given there wasn’t much research into the field of password security and no real-world password stockpiles to pull from, he did the best he could.

With no empirical data on computer-password security to be found, Mr. Burr leaned heavily on a white paper written in the mid-1980s—long before consumers bought DVDs and cat food online.

Now there is better password data available. Have I been Pwned currently lists 3,999,249,352 accounts from 228 websites. My own data has been breached over a dozen times including by our own government

The truth about passwords is we’re bad at passwords. I am terrible at passwords. That’s why I’ve used 1Password to keep my passwords secure. I don’t know most of my passwords because they are nonsense and very long. I know a single master password.

Given this new data, NIST is updating its recommendations which will slowly be adopted by the government and companies as it did originally.

Long, easy-to-remember phrases now get the nod over crazy characters, and users should be forced to change passwords only if there is a sign they may have been stolen, says NIST, the federal agency that helps set industrial standards in the U.S.

Academics who have studied passwords say using a series of four words can be harder for hackers to crack than a shorter hodgepodge of strange characters—since having a large number of letters makes things harder than a smaller number of letters, characters and numbers.

This XKCD comic explains the math behind cracking these types of passwords. I look forward to leaving the P@ssw0rd days behind and welcome the correct horse battery staple.

Password requirement comic from XKCD.

Facebook discovers telepresence?

Facebook is testing a feature that would allow the camera to automatically scan for people in its range and lock onto them, one of the people said. For example, the camera could zoom onto a painting that a child brought home from school to show to a parent away on a business trip. Facebook has also been developing a 360 degree camera for the device, but people familiar with the matter say it’s unlikely to be ready in time for the initial launch.

Source: Facebook Is Working on a Video Chat Device – Bloomberg

This is nothing new in the telepresence space. Cisco and Polycom have similar technologies available. The technology is impressive and useful in conference rooms to tell who is speaking.

Bringing this technology into the home was an obvious step. If (and I say if because anything speculative doesn’t exist yet) this device exists with the facial tracking software will be useful for chatting at home.

Facebook is behind it so people are going to scream about that. And they’re not wrong. Google and Facebook are advertising companies. They thrive on personal information so they can sell that information to companies who want to sell us stuff. (And doing a poor job from the looks of ads I’m being served.)

There is a big world of data yet to be exploited and Facebook will do their best to exploit it.

Solar Power Experiments

I love the idea behind this experiment and solar power in general. The sun is going to shine. Why not collect some of that light as power? When we finish buying our house, we’re going to look into getting solar installed if it’s in a good spot. But I wish I had seen this before when we were renting in a high-rise. The goal here isn’t to save money. The author does some math on the potential savings and they’re not much. But being self-sufficient is a good goal on its own. It’s also a nice little backup system for when power does go out.

Parts requires for this solar project
Parts requires for this solar project from the original author

My goal is to take care of the energy needs for just my bedroom. 4 main components are all we need to achieve this: A solar panel to collect, a battery to store, an inverter to convert the direct current to alternating current, and a “charge controller” to balance the three other components. I’m using bargain-basement parts intended for RV, marine & car usage which keeps my system cheap and mobile.

Source: $200 solar self-sufficiency — without your landlord noticing.

Scam calls no more

Since joining T-Mobile (and having them pay off our Google Pixels) I appreciate the Scam ID feature on incoming calls. Instead of a caller ID, the screen lights up red with Scam Likely as the name.

I appreciate the notification that it’s a scam but I wish I could have the calls blocked automatically. Today, I learned that’s possible with the aptly named Scam Block feature.

T-Mobile offers more information about these features.

To enable Scam ID or Scam Block and check their statuses:

#ONI# (#664#) – Enable Scam ID
#ONB# (#662#) – Enable Scam Block
#OFB# (#632#) – Disable Scam Block
#STS# (#787#) – Check Scam Block enabled status

I’ve turned on Scam Block since most of my calls are scammers offering my holidays away, free cruises and hotels. So many hotels. I’m looking forward to my phone no longer ringing everyday with scam calls.

We can all hear you now

Verizon Wireless is the next winner of “Which Company Will Expose Your Data!”

So if you’re got a PIN or password with them you use elsewhere, it’s time to change it. Because the danger isn’t an attacker getting your Verizon info, it’s them using that same password or PIN to get into your email or banking information.

Here’s what Verizon Wireless left open on the web.

Six folders for each month from January through to June contained several daily log files, apparently recording customer calls from different US regions, based on the location of the company’s datacenters, including Florida and Sacramento. Each record also contained hundreds of fields of additional data, including a customer’s home address, email addresses, what kind of additional Verizon services a subscriber has, the current balance of their account, and if a subscriber has a Verizon federal government account, to name a few. One field also appeared to record a customer’s “frustration score,” by detecting if certain keywords are spoken by a customer during a call.

And even though it wasn’t Verizon Wireless’ fault for the breach, they’re still to blame since they outsourced the work to a vendor who made the mistake.

“Verizon provided the vendor with certain data to perform this work and authorized the vendor to set up AWS storage as part of this project,” said a spokesperson. “Unfortunately, the vendor’s employee incorrectly set their AWS storage to allow external access.”

A hacker doesn’t need to break into a server when a vendor leaves it out on the web. This is where I start my pitch for 1Password because the breaches, mistakes and leaks of data are not going to stop.

I have used 1Password almost a year full-time. It keeps everything safe and secure. My Verizon password (when we were customers) was a long strand of 20-something numbers and letters. It didn’t match anything and I never knew it. But 1Password did.

https://1password.com – It’s only $5 per month for up to 5 people. You can have separate vaults where you can keep your logins and personal information. There are also shared vaults which are great for couples to share common information and keep sensitive information like Social Security Numbers safe. I keep every login to a site I sign up for there as well as my banking information including routing and account numbers. I keep a profile I use to fill-in forms in web sites as well as my plastic cards I use to buy things.

Because Verizon isn’t the first company to leak your info and they are not the last company to leak your info. It’s going to happen. Over and over and over. You should sign-up for 1Password. It will take the guesswork out of passwords and sensitive information.