The NIST Finally Formally Chooses SAM Security Model for Passwords

scottalanmiller

Buried in here, I'm told, lol, for those that want to dig it out: https://pages.nist.gov/800-63-3/sp800-63b.html

stacksofplates

Dashrender

Could have sworn I posted about this weeks ago.

JaredBusch

@dashrender said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

Could have sworn I posted about this weeks ago.

You did, but you didn't claim that NIST followed your recommendation.

scottalanmiller

@jaredbusch said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

@dashrender said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

Could have sworn I posted about this weeks ago.

You did, but you didn't claim that NIST followed your recommendation.

I only said that they mirrored it, not followed it. Not quite the same.

gjacobse

just found this:

Man who came up with rules for creating passwords says he blew it

Dashrender

@gjacobse said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

just found this:

Man who came up with rules for creating passwords says he blew it

During the interview, Burr also admitted that he didn't know much about how passwords worked when he created the memo.

WTF are you doing making a memo then? Not that we probably really understood the potential issues at that point, but still.

DustinB3403

@dashrender said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

@gjacobse said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

just found this:

Man who came up with rules for creating passwords says he blew it

During the interview, Burr also admitted that he didn't know much about how passwords worked when he created the memo.

WTF are you doing making a memo then? Not that we probably really understood the potential issues at that point, but still.

Because he was fucking paid to write the memo. Do what you're told or find a new job.

Obviously.

Dashrender

@dustinb3403 said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

@dashrender said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

@gjacobse said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

just found this:

Man who came up with rules for creating passwords says he blew it

During the interview, Burr also admitted that he didn't know much about how passwords worked when he created the memo.

WTF are you doing making a memo then? Not that we probably really understood the potential issues at that point, but still.

Because he was fucking paid to write the memo. Do what you're told or find a new job.

Obviously.

Yeah - more govment meaningless crap!

scottalanmiller

@dashrender said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

@gjacobse said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

just found this:

Man who came up with rules for creating passwords says he blew it

During the interview, Burr also admitted that he didn't know much about how passwords worked when he created the memo.

WTF are you doing making a memo then? Not that we probably really understood the potential issues at that point, but still.

We all knew whoever did it didn't know the first thing about passwords. But why the NIST let him make it... that's the real question.

DustinB3403

@scottalanmiller is that really the question.

More importantly why does it fucking matter. It was written so long ago and there has been plenty of time and evidence that what was written down was complete bullshit.

Dashrender

@scottalanmiller said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

@dashrender said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

@gjacobse said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

just found this:

Man who came up with rules for creating passwords says he blew it

During the interview, Burr also admitted that he didn't know much about how passwords worked when he created the memo.

WTF are you doing making a memo then? Not that we probably really understood the potential issues at that point, but still.

We all knew whoever did it didn't know the first thing about passwords. But why the NIST let him make it... that's the real question.

this was my real question...

scottalanmiller

@dustinb3403 said in The NIST Finally Formally Chooses SAM Security Model for Passwords:

@scottalanmiller is that really the question.

More importantly why does it fucking matter. It was written so long ago and there has been plenty of time and evidence that what was written down was complete bullshit.

Except they new it was BS in 2003, too.