NIST updating password recommendations

The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!

(Full story is behind the Wall Street Journal’s pay wall.)

You’ve used P@ssw0rds like this for years. It’s what NIST recommended for the Federal Government in 2003 and major corporations and universities picked up the guidance and set their password requirements to match.

Mr. Burr, who once programmed Army mainframe computers during the Vietnam War, had wanted to base his advice on real-world password data. But back in 2003, there just wasn’t much to find, and he said he was under pressure to publish guidance quickly.

He looked for some real-world data to see what people were doing.

He asked the computer administrators at NIST if they would let him have a look at the actual passwords on their network. They refused to share them, he said, citing privacy concerns.

Given there wasn’t much research into the field of password security and no real-world password stockpiles to pull from, he did the best he could.

With no empirical data on computer-password security to be found, Mr. Burr leaned heavily on a white paper written in the mid-1980s—long before consumers bought DVDs and cat food online.

Now there is better password data available. Have I been Pwned currently lists 3,999,249,352 accounts from 228 websites. My own data has been breached over a dozen times including by our own government

The truth about passwords is we’re bad at passwords. I am terrible at passwords. That’s why I’ve used 1Password to keep my passwords secure. I don’t know most of my passwords because they are nonsense and very long. I know a single master password.

Given this new data, NIST is updating its recommendations which will slowly be adopted by the government and companies as it did originally.

Long, easy-to-remember phrases now get the nod over crazy characters, and users should be forced to change passwords only if there is a sign they may have been stolen, says NIST, the federal agency that helps set industrial standards in the U.S.

Academics who have studied passwords say using a series of four words can be harder for hackers to crack than a shorter hodgepodge of strange characters—since having a large number of letters makes things harder than a smaller number of letters, characters and numbers.

This XKCD comic explains the math behind cracking these types of passwords. I look forward to leaving the P@ssw0rd days behind and welcome the correct horse battery staple.

Password requirement comic from XKCD.

Blizzard of 20-pound bond

Knocking Down your Creative Blocks – 99U

In time, my office looked like it had been hit by a blizzard of 20-pound bond. There were piles of paper on every flat surface, and on the floor around me, all of them tagged with colorful Post-it Notes, some of the piles reaching several feet in height—a miniature cityscape at my feet: Transcribed interviews, notes, court documents and legal transcripts of testimony and deposition hearings, newspaper clippings, non-fiction books and research papers on the subjects of AIDS and the Reagan Administration’s war on pornography (a period during which porn consumption by the public rose exponentially, I would learn). Not to mention my collection of VHS films—black plastic rectangles, clad in colorful cardboard slip covers, stacked in rickety piles like so many skyscrapers populating my urban jungle of research materials.

The blizzard of 20-pound bond is a beautiful bit of writing. Reading that line made my old soul smile. I can also relate to being surrounded by paper and Post-It Notes.

Facebook discovers telepresence?

Facebook is testing a feature that would allow the camera to automatically scan for people in its range and lock onto them, one of the people said. For example, the camera could zoom onto a painting that a child brought home from school to show to a parent away on a business trip. Facebook has also been developing a 360 degree camera for the device, but people familiar with the matter say it’s unlikely to be ready in time for the initial launch.

Source: Facebook Is Working on a Video Chat Device – Bloomberg

This is nothing new in the telepresence space. Cisco and Polycom have similar technologies available. The technology is impressive and useful in conference rooms to tell who is speaking.

Bringing this technology into the home was an obvious step. If (and I say if because anything speculative doesn’t exist yet) this device exists with the facial tracking software will be useful for chatting at home.

Facebook is behind it so people are going to scream about that. And they’re not wrong. Google and Facebook are advertising companies. They thrive on personal information so they can sell that information to companies who want to sell us stuff. (And doing a poor job from the looks of ads I’m being served.)

There is a big world of data yet to be exploited and Facebook will do their best to exploit it.

What Bullets Do to Bodies – NYT

Early in my medical training, I learned that it is not the bullet that kills you, but the damage from the bullet. A handgun bullet enters the body in a straight line. Like a knife, it damages the organs and tissues directly in its path, and then it either exits the body or is stopped by bone, tissue or skin.
This is in contrast to bullets from an assault rifle. They are three times the speed of handgun bullets. Once they enter the body, they fragment and explode, pulverizing bones, tearing blood vessels and liquefying organs.
This is what was happening to my patient, whose heart quickly stopped beating. We performed an emergency thoracotomy — splitting open his chest in an attempt to clamp off bleeding and restart his heart. Blood poured out of his chest cavity. The bullet had disintegrated his spleen and torn his aorta. Four ribs had essentially turned to dust. The damage was far too extensive. He died in our E.R. He was 15.

Source: What Bullets Do to Bodies – The New York Times

How ‘Snowflake’ Became America’s Inescapable Tough-Guy Taunt

Political Discourse, 2017 finds its roots in Fight Club.

Today’s tough-guy posturing seems rooted, paradoxically, in threat and fear: fear of defeat, fear of lost status and fear that society is growing increasingly ill suited to tough-guy posturing in the first place. The narrator of “Fight Club,” source of that “snowflake” mantra, was a delusional man coping with modernity by inventing a hypermasculine alter-ego, imagining himself as the man-cult leader Tyler Durden. But making an entire alternate masculine identity is a lot of work. It’s always much easier to just call other people wimps and snowflakes — and hope they’ll be intimidated enough to melt away.

Via – How ‘Snowflake’ Became America’s Inescapable Tough-Guy Taunt – The New York Times