Daily Archives: 2024-09-26

NIST Recommends Some Common-Sense Password Rules

Source: Schneier on Security

Article note: Let's hope some fuckers start following this advice, because we're currently in an age of "You have to regularly change your password following rules so arcane you have to carefully construct a password to comply with them, then two-factor with some bullshit third party that frequently doesn't work."

NIST’s second draft of its “SP 800-63-4“—its digital identify guidelines—finally contains some really good rules about passwords:

The following requirements apply to passwords:

  1. lVerifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
  2. Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
  3. Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
  4. Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a signgle character when evaluating password length.
  5. Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
  6. Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
  7. Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
  8. Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
  9. Verifiers SHALL verify the entire submitted password (i.e., not truncate it).

Hooray.

News article.Shashdot thread.

Posted in News | Leave a comment

Sony, Ubisoft scandals prompt Calif. ban on deceptive sales of digital goods

Source: Ars Technica

Article note: We needed this regulation widely implemented like 20 years ago. If it isn't covered by first sale doctrine, you aren't "buying" it. If a vendor controlled server controls your access, you aren't "buying" it.
Sony, Ubisoft scandals prompt Calif. ban on deceptive sales of digital goods

Enlarge (credit: Carol Yepes | Moment)

California recently became the first state to ban deceptive sales of so-called "disappearing media."

On Tuesday, Governor Gavin Newsom signed AB 2426 into law, protecting consumers of digital goods like books, movies, and video games from being duped into purchasing content without realizing access was only granted through a temporary license.

Sponsored by Democratic assemblymember Jacqui Irwin, the law makes it illegal to "advertise or offer for sale a digital good to a purchaser with the terms buy, purchase, or any other term which a reasonable person would understand to confer an unrestricted ownership interest in the digital good, or alongside an option for a time-limited rental."

Read 10 remaining paragraphs | Comments

Posted in News | Leave a comment

OpenAI to Become For-Profit Company

Source: Hacker News

Article note: The griftiest grift. Retain the nonprofit to suck up content under the "It's just research" excuse [1], while spinning up a for-profit to more efficiently move rubes'[2] money into insiders' pockets. [1] Note: I'm an IP minimalist who only resents AI companies getting away with that because everyone should be able to and can't. [2] Rubes here being mostly VCs buying into the AI hype and giving OpenAI money hoping they'll be the ones to reap absurd profits, and B2B customers setting up "AI Startups" and "AI in their business" by making OpenAI API Calls.
Comments
Posted in News | Leave a comment