Most active commenters

    ←back to thread

    I read the federal government’s Zero-Trust Memo so you don’t have to

    (www.bastionzero.com)
    656 points EthanHeilman | 15 comments | 27 Jan 22 15:06 UTC | HN request time: 0.792s | source | bottom
    Show context
    staticassertion ◴[27 Jan 22 15:56 UTC] No.30102061[source]
    This is pretty incredible. These aren't just good practices, they're the fairly bleeding edge best practices.

    1. No more SMS and TOTP. FIDO2 tokens only.

    2. No more unencrypted network traffic - including DNS, which is such a recent development and they're mandating it. Incredible.

    3. Context aware authorization. So not just "can this user access this?" but attestation about device state! That's extremely cutting edge - almost no one does that today.

    My hope is that this makes things more accessible. We do all of this today at my company, except where we can't - for example, a lot of our vendors don't offer FIDO2 2FA or webauthn, so we're stuck with TOTP.

    replies(15): >>30103088 #>>30103131 #>>30103846 #>>30104022 #>>30104121 #>>30104716 #>>30104840 #>>30105344 #>>30106941 #>>30107798 #>>30108481 #>>30108567 #>>30108916 #>>30111757 #>>30112413 #
    1. meepmorp ◴[27 Jan 22 18:05 UTC] No.30103846[source]
    Also, “Password policies must not require use of special characters or regular rotation.”

    They even call out the fact that it's a proven bad practice that leads to weaker passwords - and such policies must be gone from government systems in 1 year from publication of the memo. It's delightful.

    replies(5): >>30104317 #>>30104644 #>>30104914 #>>30106431 #>>30108010 #
    2. CGamesPlay ◴[27 Jan 22 18:37 UTC] No.30104317[source]
    I am a bit concerned that this will be read as "Password policies must require the use of no special characters", possibly as a misguided attempt to push people away from adding using "Password123!" as the password. I wish the memo had spelled out a little more clearly that there's nothing wrong with special characters, but they shouldn't be required. Also, is a whitespace a special character?
    replies(1): >>30104479 #
    3. pm90 ◴[27 Jan 22 18:49 UTC] No.30104479[source]
    If we were to stop using special characters and only use human friendly phrases (eg “jupiterIsTheSmallestPlanet”) it wouldn’t be the end of the world.
    replies(1): >>30109430 #
    4. atuladhar ◴[27 Jan 22 19:01 UTC] No.30104644[source]
    Somewhat unrelated, but hopefully this also means TreasuryDirect will get rid of its archaic graphical keyboard that disables the usage of password managers.

    (Graphical keyboards are an old technique to try to defeat key loggers. A frequent side effect of a site using a graphical keyboard is that the developer has to make the password input field un-editable directly, which prevents password managers from working, unless you use a user script to make the field editable again.)

    replies(1): >>30104677 #
    5. tbirdz ◴[27 Jan 22 19:04 UTC] No.30104677[source]
    Just saying in this in case it will help you. For treasurydirect, you can use inspect element and change the value="" field on the password element, and paste in your password from your password manager. It's not as convenient as autofill from your password manager, but it sure beats using the graphical keyboard.
    replies(1): >>30178670 #
    6. xoa ◴[27 Jan 22 19:20 UTC] No.30104914[source]
    Yeah, while the clear and correct focus overall is on moving away from passwords entirely (FINALLY!!!!!) it's still nice to see something immediately actionable on at least improving policies in the mean time since those should be very low hanging fruit. Although one thing one thing I don't see is a mention of is doing away with (or close enough) password max character limits and requiring that everything get hashed step 1. Along with rotation and silly complex rules, stupid low character limits is the other big irritation with common systems. If passwords must be used they should be getting hashed client-side anyway (and then again server-side) so the server should be getting a constant set of bits no matter what the user is inputting. There isn't really any need at all for character limits at this point. If anything it's the opposite, minimums should be a lot higher. If someone is forced to use at least 20-30 characters say that essentially requires a password manager or diceware. And sheer length helps even bad practices.

    But maybe they didn't bother giving much more effort to better passwords because they really don't want those to stick around at all and good for them. Password managers themselves are a bandaid on the fundamentally bad practice of using a symmetric factor for authentication.

    7. mooreds ◴[27 Jan 22 20:50 UTC] No.30106431[source]
    To be fair, this was part of the NIST guidelines since Mar 2020. A whole appendix was added to justify it: https://pages.nist.gov/800-63-3/sp800-63b.html#appA
    replies(1): >>30106864 #
    8. gkop ◴[27 Jan 22 21:19 UTC] No.30106864[source]
    Way earlier than that, even.

    > Verifiers SHOULD NOT impose other composition rules (mixtures of different character types, for example) on memorized secrets

    Earliest draft in Wayback Machine, dated June 2016. Lots of other good stuff from 800-63 dates back this early too.

    https://web.archive.org/web/20160624033024/https://pages.nis...

    replies(2): >>30107106 #>>30109354 #
    9. dragonwriter ◴[27 Jan 22 21:37 UTC] No.30107106{3}[source]
    SHOULD NOT and MUST NOT are very different from a compliance perspective.

    The former usually means something between nothing at all and “you can do it but you have to write paperwork that no one will actually read in detail, but someone will maybe check the existence of, if you do”.

    The latter means “do it and you are noncompliant”.

    replies(2): >>30107391 #>>30108778 #
    10. dllthomas ◴[27 Jan 22 21:59 UTC] No.30107391{4}[source]
    https://datatracker.ietf.org/doc/html/rfc2119 is a good reference, although those precise definitions may or many not be in effect in any particular situation (including this one).

    See also https://datatracker.ietf.org/doc/html/rfc6919

    11. carbonx ◴[27 Jan 22 22:40 UTC] No.30108010[source]
    I worked for the govn't ~20 year ago - in IT - and even I hated our password policies. I just kept iterating the same password because we had to change it every 6 weeks.
    12. gkop ◴[27 Jan 22 23:52 UTC] No.30108778{4}[source]
    Thanks for pointing out the improvement over NIST, it wasn’t clear to me. But did you mean to reply to my parent? Both the draft and the current language say SHOULD NOT. I’d rather “must”, but will settle for “should”; the NIST docs have certainly made my work easier. Hopefully NIST improves, and perhaps this memo will help!

    The essential purpose of my comment was only to correct my parent on the date.

    13. wslack ◴[28 Jan 22 00:54 UTC] No.30109354{3}[source]
    They accepted edits via pull request when that was in the works! [1] Such a better model of giving feedback or suggesting edits compared to sending in a marked-up PDF.

    [1]: https://github.com/usnistgov/800-63-3/pull/576

    14. godelski ◴[28 Jan 22 01:02 UTC] No.30109430{3}[source]
    But if a whitespace is not a special character (or punctuation) we can add entropy with "Jupiter is the smallest planet!" while still being human readable and using the passphrase paradigm.
    15. atuladhar ◴[02 Feb 22 15:16 UTC] No.30178670{3}[source]
    Thanks! That would definitely be a way to do it. I was hinting at something similar by saying "unless you use a user script to make the field editable again". You could also run a bookmarklet that makes the input editable using JavaScript, and then using the password manager. But it's a pain in any case if you're using the site on a mobile device.