NJ Courts Impose Ridiculous Password Policy 'To Comply With NIST' That Does Exactly What NIST Says Not To Do

from the the-poor-online-security-guardin'-state dept

As a New Jersey native I know how tempting it is for people to gratuitously bash my home state. But, you know, sometimes it really does have it coming.

In this case it's because of the recent announcement of a new password policy for all of the New Jersey courts' online systems – ranging from e-filing systems for the courts to the online attorney registration system – that will now require passwords to be changed every 90 days.

This notice is to advise that the New Jersey Judiciary is implementing an additional information security measure for those individuals who use Judiciary web-based applications, in particular, attorney registration, eCourts, eCDR, eTRO, eJOC, eVNF, EM, MACS, and DVCR. The new security requirement - password synchronization or p-:-synch - will require users to electronically reset their passwords every 90 days.

For reasons explained below, this new policy is a terrible idea. But what makes it particularly risible is that the New Jersey judiciary is claiming this change is being implemented in order to comply with NIST.

This requirement is being added to ensure that our systems and data are protected and secure consistent with industry security standards (National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)).

The first problem here, of course, is that this general allusion to NIST is not helpful. If NIST has something specific to say that the courts are relying on, then the courts should specially say what it is. Courts would never accept these sorts of vague hand-wavy references to authority in matters before them. Assertions always require a citation to the support upon which they are predicated so that they can be reviewed for accuracy and reasonableness. Instead the New Jersey judiciary here expects us to presume this new policy is both, when in fact it is neither.

The reality is that the NIST Cybersecurity Framework does not even mention the word "password," let alone any sort of 90-day expiration requirement. Moreover, what NIST does actually say about passwords is that they should not be made to expire. In particular, the New Jersey judiciary should direct its attention to Special Publication 800-63B, which expressly says:

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).

That same section of the Special Publication also says that, "Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets" because, as a NIST study noted, it tends to reduce overall security hygiene. Guess what else the new New Jersey password policy does:

Users must select passwords that are no more than eight (8) characters long and contain at least one capital letter, one lower case letter, one numeral, and one of the enumerated special characters.

It also gets worse, because as part of this password protocol it will require security questions in order to recover lost passwords.

Additionally, this policy change will require that each user choose and answer three personal security questions that will later allow the user to reset their own password should their account become disabled, for example, because of an expired password. The answers to the three security questions should be kept confidential in order to reduce the risk of unauthorized access and allow for most password resets to be done electronically.

Security questions are themselves a questionable security practice because they are often built around information that, especially in a world of ubiquitous social media, may not be private.

From their dangerous guessability to the difficulty of changing them after a major breach like Yahoo's, security questions have proven to be deeply inadequate as contingency mechanisms for passwords. They're meant to be a reliable last-ditch recovery feature: Even if you forget a complicated password, the thinking goes, you won't forget your mother's maiden name or the city you were born in. But by relying on factual data that was never meant to be kept secret in the first place—web and social media searches can often reveal where someone grew up or what the make of their first car was—the approach puts accounts at risk. And since your first pet's name never changes, your answers to security questions can be instantly compromised across many digital services if they are revealed through digital snooping or a data breach.

The Wired article this passage came from is already two years old. Far from New Jersey imposing an "industry standard" password protocol, it is instead imposing one that is outdated and discredited, which stands to undermine its systems security, rather than enhance it.

And largely, it seems, because it does not seem to understand the unique needs of its users – who are not all the same. Some may log into these sites daily, while others (like me) only once a year when it's time to pay our bar dues. (What does this 90-day reset requirement mean for an annual-only user?) Furthermore, although things have been improving over the years, lawyers are notoriously non-technical. They are busy and stressed with little time to waste wrangling with the systems they need to use to do their job on behalf of their clients. And they are often dependent on vendors, secretaries, and other third parties to act on their behalf, which frequently results in credential sharing. In short, the New Jersey legal community has some particular (and varied) security needs, which all need to be understood and appropriately responded to, in order to improve systems security overall for everyone.

But that's not what the New Jersey courts have opted to do. Instead they've imposed a sub-market, ill-tailored, laborious, and needlessly demanding policy on their users, and then blamed it on NIST. But as yet another NIST study explains, security is only enhanced when users can respect the policy enforcing it. The more arbitrary and frustrating it is, the more risky the user behavior, and the weaker the security protocol becomes.

The key finding of this study is that employees’ attitudes toward the rationale be-hind cybersecurity policies are statistically significant with their password behaviors and experiences. Positive attitudes are related to more secure behaviors such as choosing stronger passwords and writing down passwords less often, less frustration with authentication procedures, and better understanding and respecting the significance to protect passwords and system security.

As NIST noted in a summary of the study, "'security fatigue' can cause computer users to feel hopeless and act recklessly." Yet here are the New Jersey courts, expressly implementing, for no good reason, a purposefully cumbersome and frustrating policy, one that could hardly be better calculated to overwhelm users, and which, despite its claims to the contrary, is far from a respected industry norm.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: new jersey, nist, passwords, security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Anonymous Anonymous Coward (profile), 17 Aug 2018 @ 8:24am

    See how security conscious we are?

    It certainly appears that the New Jersey Judiciary is simply following the legislative lead. They are doing something about security. To them, that it is wrong, does not abrogate the fact that they did 'something'.

    link to this | view in chronology ]

  • identicon
    Paul Brinker, 17 Aug 2018 @ 9:31am

    Same Policy

    I work in an IT field, I find that the first thing I do when allowed is to turn off 90 day password policies.

    The only thing this has done is made my passwords cycle over a few years. This is still less secure then the alternative of a long passphrase made from all lower case letters.

    "Thisismyverylongpassword" is more secure then !@ABCDe

    link to this | view in chronology ]

    • icon
      ShadowNinja (profile), 17 Aug 2018 @ 10:13am

      Re: Same Policy

      I've heard stories of workplaces with this policy.

      A lot of employees did one of two things to remember their constantly changing passwords:

      • Wrote their passwords down and left it somewhere on their desk. (this is referred to as the 3 feet rule, where if you throw a bunch of arbitrary password rules on that make it hard to remember your password users will leave their written down password within 3 feet of their desk chair)

      • Used passwords like "Summer2018!", "Spring2018!" to make it easy to remember.

      link to this | view in chronology ]

      • identicon
        Chris Brand, 17 Aug 2018 @ 10:37am

        Re: Re: Same Policy

        "Used passwords like "Summer2018!", "Spring2018!" to make it easy to remember."

        The good news is that they've made that hard to do by having a max password length of 8 characters.

        link to this | view in chronology ]

        • identicon
          Sharur, 17 Aug 2018 @ 11:19am

          Re: Re: Re: Same Policy

          I misread that (in the article). I thought it was the standard 8 character MINIMUM...this is even worse.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 17 Aug 2018 @ 11:55am

            Re: Re: Re: Re: Same Policy

            1)A password must be a random string of 27 characters, numbers, and special characters.
            2)It must be changed weekly.
            3)Do not write it down.

            link to this | view in chronology ]

          • icon
            orbitalinsertion (profile), 18 Aug 2018 @ 12:47am

            Re: Re: Re: Re: Same Policy

            And this is one of the dumbest things with passwords. A low character limit is bad enough, but it's even more fun when they do not tell you what the limit is...

            link to this | view in chronology ]

        • icon
          Atkray (profile), 17 Aug 2018 @ 5:56pm

          Re: Re: Re: Same Policy

          oooooh!!! I was needing a new password for work thank you.

          link to this | view in chronology ]

        • icon
          Bergman (profile), 20 Aug 2018 @ 9:04am

          Re: Re: Re: Same Policy

          So they switch to "Sum2018!" and "Spr2018!". And since a season is about 90 days, that gives them a password that meets all the new password requirements of the NJ courts.

          And the hackers win too, because that password is guessable by the sort of botnets serious hackers use for this sort of thing in less than 4 hours.

          link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Aug 2018 @ 5:36pm

      Re: Same Policy

      Anyone enforcing a periodic password change policy should be forced to kneel and shot in the back of the head at point-blank range.

      Then they should be fired.

      link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Robot Xterminator!, 17 Aug 2018 @ 9:34am

    Joisey is DOOMED!

    OR, it may be a reasonable policy for site that has many people using it briefly over short periods of time in a given case, then leaving the passwords lying around.

    BUT OF COURSE A TECHDIRT RE-WRITER KNOWS BETTER EVERY TIME.

    link to this | view in chronology ]

    • identicon
      Paul Brinker, 17 Aug 2018 @ 9:52am

      Re: Joisey is DOOMED!

      It's not a very reasonable policy. It mostly results in people clicking on the reset password link all the time.

      Reset password links are often the weak link. Mostly because they make them super easy to use. Firms are really bad at people calling in on them as well. All it takes is 1 call to steal someones account, a call to change the password.

      link to this | view in chronology ]

    • icon
      Gary (profile), 17 Aug 2018 @ 9:57am

      Re: Joisey is DOOMED!

      Or the author has done some research to back up their position, as well as citing the relevant portions of the NIST. And has talked to IT folks who know that 90-day password cycling (with an EIGHT character length limit) is an ass system.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Aug 2018 @ 10:12am

      Re: Joisey is DOOMED!

      Did you read the article?
      Did you read the NIST std?

      What do you consider to be reasonable? And how is this case reasonable considering the environment in which it resides?

      Not sure why people use caps .. it is sorta silly and makes you seem to be a bit off kilter while working on your manifesto.

      link to this | view in chronology ]

    • icon
      ShadowNinja (profile), 17 Aug 2018 @ 10:21am

      Re: Joisey is DOOMED!

      You should read this famous XKCD comic on password strength

      And the worst part is a bunch of sites still don't allow CorrectHorseBatteryStaple as a password because of it violating those password rules. Which makes requiring password switches every so many days even worse for all the reasons this comic highlights.

      link to this | view in chronology ]

      • icon
        That One Guy (profile), 18 Aug 2018 @ 12:07am

        Re: Re: Joisey is DOOMED!

        To be fair were I in charge of setting password rules on a site I wouldn't allow that one anyway, because at this point you can be sure anyone trying to crack an account would try that one early on(if not first) just in case.

        That point that many sites still have stupid password rules on the other hand stands.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Aug 2018 @ 10:33am

      Re: Joisey is DOOMED!

      Or, you know, security experts that have studied these issues know better than you.

      link to this | view in chronology ]

    • identicon
      Agammamon, 17 Aug 2018 @ 11:46am

      Re: Joisey is DOOMED!

      No, a reasonable policy would be to deactivate accounts that aren't used at least once in that 90 days.

      link to this | view in chronology ]

    • icon
      Ninja (profile), 17 Aug 2018 @ 12:25pm

      Re: Joisey is DOOMED!

      If you had informed yourself about password policies before posting your petty attacks you'd have realized that, empirically speaking, people tend to fuck up when you impose expiration dates on passwords by choosing sequential, dumb keys their biological, limited memories can actually remember. You can visit Troy Hunt's blog for very good tips and Have You Been Pwned site for more insight on bad password practices and how common they are.

      Don't make a fool of yourself.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Aug 2018 @ 1:07pm

      Re: Joisey is DOOMED!

      OR, it may be a reasonable policy for site that has many people using it briefly over short periods of time in a given case, then leaving the passwords lying around.

      No, that's never a reasonable policy. Especially when the max character limit is a measly 8 characters. If it's only going to be used briefly for a short period, then the better way to handle it is to disable their account automatically after a few days, once they've done what they needed to. Or grant access using time limited, temporary credentials, and require re-registration each time they need access. Or another option, issue security tokens.

      BUT OF COURSE A TECHDIRT RE-WRITER KNOWS BETTER EVERY TIME.

      No, they just know better than you.

      Basically I guess what I'm getting at is almost ANY solution is better than the nonsense you've proposed. Try educating yourself on security before you make a fool of yourself. Oops, too late.

      link to this | view in chronology ]

  • icon
    Ted the IT Guy (profile), 17 Aug 2018 @ 10:12am

    Security Theater

    I see this in so many large organizations. A 90 day password rotation cycle is a complete farce. Arbitrary complexity requirements/limits and password histories make it that much worse for users, who just tune out these IT policies. What really gets me is when they limit the password length to 8 or 9 characters; my normal passwords are usually at least 15 characters long and I have many over 20.

    Users end up with a piece of paper hidden somewhere at their desk or in their wallet/purse with the list of passwords they rotate through. To make matters worse, they are usually garbage passwords like Sprn$018, Smmr$018, Atmn$018 and Wntr$019.

    Don't even get me started on password reset procedures.

    link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 18 Aug 2018 @ 12:49am

      Re: Security Theater

      What is good too is that then yer potential bad actor knows passwords are changed like clockwork and when.

      link to this | view in chronology ]

  • icon
    OldMugwump (profile), 17 Aug 2018 @ 10:41am

    Oh my

    Two things.

    1) Those are very nearly the worst possible rules for secure passwords. See https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124 118

    2) Of course: https://xkcd.com/936/

    link to this | view in chronology ]

    • icon
      Ben (profile), 17 Aug 2018 @ 4:57pm

      Re: Oh my

      You just had to link to XKCD didn't you? That's a half hour I'll never get back... saved only by the need to get up from my computer so I could stop looking at random pages.

      You evil evil mugwump you!

      link to this | view in chronology ]

  • icon
    btr1701 (profile), 17 Aug 2018 @ 10:43am

    Password Lunacy

    My agency does this same nonsense with passwords, but it's even worse. I would *love* to have 90 days with a password. Instead, we're down to 45 days (a month and a half) before we have to change, and our passwords are required to be a *minimum* of 16 characters, and with dozens of rules specifically designed to prevent the password from being anything easily memorable, resulting in everything but literally something that looks like this-- JtwOPm1*%20Mw-- being rejected.

    Now add on top of that the fact that we have multiple systems, all with their own different password rules and change schedules.

    Since no one except Rainman can remember strings of gibberish characters like that which change every 45 days, the end result is a Post-It on everyone's computer with the passwords written down on them, which defeats the entire purpose of this whole blinkered system.

    link to this | view in chronology ]

  • identicon
    Wnt, 17 Aug 2018 @ 10:43am

    Designed to fail on purpose

    "Security questions" are not *accidentally* stupid, but *intentionally* stupid. If any site using them had any intent to protect your security, they would let you type in your own security question to answer. Like, duh. Instead, they give you a choice of a few things that are easier for a hacker to guess than for you to remember.

    Now you can try to sell me a conspiracy theory that says that EVERY SINGLE SITE and organization ALL fail to grasp this basic logic ... or you can admit that the purpose of security questions is to be hacked.

    That leaves only one question: are they meant to be hacked only by cops/private investigators/spies etc. who have some "good reason" to prowl through your account without some official rigamorale like a warrant? Or are they designed to be hacked by organized crime in exchange for a simple payment? That I can't be totally sure about. The abundance of overpaid spies supports the former, while the intentional profit centers built into U.S. drugs policy and prostitution policy favors the latter. It's also possible the two are indistinguishable even in principle.

    link to this | view in chronology ]

    • identicon
      Sharur, 17 Aug 2018 @ 11:26am

      Re: Designed to fail on purpose

      Not a conspiracy:

      The purpose of security questions is that WHEN they get hacked, they can waive the security questions in front of a technically illiterate decision maker, to say "yes, we did due diligence and made a reasonable effort to secure the hacked data", and have them buy it, even if they are sending passwords over email and storing them in plaintext.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Aug 2018 @ 12:13pm

      Re: Designed to fail on purpose

      Now you can try to sell me a conspiracy theory that says that EVERY SINGLE SITE and organization ALL fail to grasp this basic logic

      "Never attribute to malice that which is adequately explained by stupidity."

      Given our current political and cultural climate, is it really THAT surprising many sites and organizations fail at security?

      Plus you also have to take into account that security wasn't really that big of a thing in the early days of computing, at least not in the public sector and many of these sites and organizations are still playing catch up in that respect.

      Why do some businesses continue to refuse to update their internal IT operating systems and software. Some businesses are still operating on Windows XP for crying out loud. It's not because they're deliberately making their businesses insecure, they just don't understand the ramifications or aren't willing to spend the money and effort to actually be responsible. Being irresponsible is cheaper and easier and they are gambling they won't have any breaches.

      That said, I think we are seeing a paradigm shift, especially with major organizations like Target and Equifax being hacked, they're realizing they can no longer take security so lightly, but now they're playing catch up.

      And it's not "EVERY SINGLE SITE and organization". There are ones out there that do get it right. Are they in the minority? Absolutely but, like I said, that's starting to change. More places are supporting and/or requiring MFA, password policies are being updated to be more robust, along with some sites doing away with the secret questions.

      Case in point, have you ever tried to recover your gmail account? The information they ask for is crazy specific. I have a throwaway gmail account I created years ago that I now can't get access to because I forgot my password and the information Google wants to know before granting me access is stuff I don't even remember. Like how long ago did you create it and when was the last time you accessed it, among others. Hell if I know the last time I accessed it was, sometime way back in high school and early college, but that's a range of at least 4 - 6 years. That's too broad and Google denies me access because I can't be more specific.

      link to this | view in chronology ]

      • identicon
        Wnt, 17 Aug 2018 @ 1:06pm

        Re: Re: Designed to fail on purpose

        That bogus "Hanlon rule" probably was invented by the CIA. In a world full of robo-signers, Russian trolls, botnets, and spy agencies, where even the *proles* entertain themselves learning how to lie to each other on Survivor type shows, I am told five thousand times to believe in pure stupidity without a trace of malice ... even though almost everything any government or company does any more is malicious.

        Next week a bunch of first graders are going to get put on the school bus and there's going to be some little darling who gets whacked on the back of the head before he gets half a block from Mommy. "Oh, sorry, it was an *accident*." Then it's a kick to the back of the seat and cupcake icing in his hair. And he's going to get off the bus to be told by some teacher "Never attribute to malice what can be ... called an accident." Yeah. Uh-huh. Right. You know, a first grader wouldn't believe the second grader behind him was too stupid to know what he's doing. SO WHY SHOULD I BELIEVE THAT A BUNCH OF SELF-PROCLAIMED COMPUTER GENIUSES MAKING WAY MORE THAN I DO ARE DOING THE SAME IDIOTIC THINGS OVER AND OVER AGAIN BY ACCIDENT???

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 17 Aug 2018 @ 1:35pm

          Re: Re: Re: Designed to fail on purpose

          You need some help.

          link to this | view in chronology ]

        • identicon
          Anonymous Coward, 17 Aug 2018 @ 1:41pm

          Re: Re: Re: Designed to fail on purpose

          That bogus "Hanlon rule" probably was invented by the CIA.

          Considering the concept, if not the label, has been around long before the CIA, you'd be wrong in that assumption.

          even though almost everything any government or company does any more is malicious.

          If you look for conspiracy theories you will absolutely find them. Sorry to burst your bubble but the human race is a bunch of bumbling idiots. We do stupid stuff ALL THE TIME. If you don't believe me look at history. Automatically assuming anything any government or corporation does is inherently malicious is, well, stupid. Look at the facts and weigh them on their merits.

          If it was truly the case that these entities were deliberately making it easy to hack your accounts, then 1) why are so many of them implementing more security features that are much more difficult to hack such as MFA, physical security tokens, etc... and 2) if it was all a giant conspiracy then why hasn't it come to light? Seriously. You can't honestly sit there and tell me that hundreds of thousands of corporations have all plotted together to deliberately let hackers into your accounts and NO ONE has ever come forward with claims or proof of it? We're talking thousands of people who would have to be in the know for decades, there's no way that never gets out.

          some little darling who gets whacked on the back of the head before he gets half a block from Mommy. "Oh, sorry, it was an accident." Then it's a kick to the back of the seat and cupcake icing in his hair.

          I'm so sorry you were bullied as a child. Maybe try to let it go now?

          "Never attribute to malice what can be ... called an accident."

          Intellectually dishonest much? There's a difference between "called an accident" and "explained by stupidity". Maybe try not re-wording things to fit your narrative?

          A first grader deliberately doing those things is different than them happening by accident. And in those cases you bring up it's pretty easy to tell whether it was done maliciously or accidentally. Hanlon's Razor comes in when you can't easily identify whether it was malicious or stupidity. And since you think it's so obvious this is all done maliciously you must have some pretty obvious proof, right? Leaked emails? Corporate documents? Court cases? Eye-witness accounts? Anything? Bueller?

          You know, a first grader wouldn't believe the second grader behind him was too stupid to know what he's doing.

          No, and neither would most adults because there is a BIG difference in evidence if something was done deliberately or by accident. Whacking someone on the back of the head, kicking their seat, and smearing frosting in their hair doesn't happen ordinarily, but if the bus hit a bump and the cupcake went flying was that malicious too? See, your result can be labeled the same if you ignore everything that led up to it.

          Besides that, your schoolyard examples are really apples to oranges to what we're talking about here.

          SO WHY SHOULD I BELIEVE THAT A BUNCH OF SELF-PROCLAIMED COMPUTER GENIUSES MAKING WAY MORE THAN I DO ARE DOING THE SAME IDIOTIC THINGS OVER AND OVER AGAIN BY ACCIDENT???

          Whoever said that computer geniuses were in charge of every single corporation out there? Do you have proof of this?

          And even if they are computer geniuses, that doesn't make them security geniuses as well.

          And finally, because people are idiots and make mistakes, even if they are "self-proclaimed genius" (note the self-proclaimed part).

          Come on man, this isn't hard.

          link to this | view in chronology ]

  • identicon
    peter, 17 Aug 2018 @ 10:47am

    Our 'secure' password policy

    My work implemented a policy where he user was not allowed to choose the password.

    The user was presented a password of 9 characters with a random mix of uppercase, lowercase, numbers and special characters.........and it changed monthly.

    Did we write it down? Of course we f***ing did!

    link to this | view in chronology ]

  • icon
    ECA (profile), 17 Aug 2018 @ 11:34am

    HOW long has it taken..

    For the MAJOR sites to learn the lessons about passwords??

    There is one site I need to pay bills, that I ALWAYS have to redo, almost every month. It cant ID' my computer.

    Beyond..
    A Name(dont think of it as NAME, Make it Any word you want)

    A REASONABLE password(Patterns work better then anything else, I have customers that have 5 email accounts they cant figure the password for)(and have Never forgotten the one I created on their computer)

    DEDICATED Phone contact Phone number, OR 2.
    An email address, NOT from your ISP.. OR 2.

    1-2 Secret words.. I say words, because the Questions mean nothing...its the Answer that Counts. Dont give name of your Dog, Parents, or your School...MAke up a BETTER WORD.

    NEVER ask for your password..ASK for it to be sent to your EMAIL..PHONE, or other location that you have already set.

    MANY sites keep a list of changes, you have made to your account and Data.. Which is GREAT. BUT pay attention to any EMAIL warning..\
    NEVER CLICK AN EMAIL YOU DONT KNOW..GO DIRECT TO THE SITE YOURSELF. If there is a problem CONTACT THEM..Be aware you will be asked REAL questions..

    link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 17 Aug 2018 @ 11:35am

    Easier, and safer to do.

    Maybe a better way would be to provide a link to a password manager, tell them how to set the password length to 32 characters, and tell them to use the password managers Manage Password Policy function, with correct settings and then the generate function which will give a fairly random but properly complex password, that is then saved. The only password the user then needs to to their password manager.

    link to this | view in chronology ]

  • identicon
    Agammamon, 17 Aug 2018 @ 11:44am

    Something else the NJ courts should be asking - who the hell decided that NIST compliance was mandatory? Or even a good thing?

    Its like someone in IT management decided to pick a random standard publisher and impose it on the courts state-wide. But NIST compliance won't save you from liability and so - why do that rather than an in-house standard that you developed with the needs and peculiarities of your users in mind?

    link to this | view in chronology ]

  • icon
    Derek Kerton (profile), 17 Aug 2018 @ 12:05pm

    Longer Passwords Are Better

    "Users must select passwords that are no more than eight (8) characters long..."

    If Jersey is not allowing passwords longer than 8 chars, I think we can all agree that this is stupid, not user friendly, and also less secure than longer passwords.

    And, of course it's, AGAIN, the opposite of NIST recommendations.

    From NIST 800-63B:
    "Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length."

    link to this | view in chronology ]

    • icon
      Ninja (profile), 17 Aug 2018 @ 12:30pm

      Re: Longer Passwords Are Better

      Some say even this limit is arbitrary. Services should allow password managers and impose no restrictions at all if possible while also providing solid 2FA. Google has reported that no employee has fallen victim of phishing attacks since they made the use of physical keys as a 2FA (guess they re using Yubico stuff).

      NJ screwed up. Badly. If this came from their iT staff then they should fire the ones responsible.

      link to this | view in chronology ]

  • identicon
    Christenson, 17 Aug 2018 @ 12:12pm

    Hacking idea

    (Hacks into the Techdirt account to pay their bill)

    Might want to start with the presumption that anonymous access to public court records doesn’t need a password!

    link to this | view in chronology ]

  • icon
    Kev (profile), 17 Aug 2018 @ 12:55pm

    NIST 800-53 Control Set

    IA-5 is the relevant NIST control. Here's the control enhancement section and as you can see, it's all defined by the organization:

    Control Enhancements:
    (1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION
    The information system, for password-based authentication:
    (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
    (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
    (c) Stores and transmits only cryptographically-protected passwords;
    (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
    (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
    (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.

    I think what they may actually be referring to is CJIS, not NIST. Here is the relevant control from that set:

    5.6.2.1.1 Password
    Agencies shall follow the secure password attributes, below, to authenticate an individual’s unique ID. Passwords shall:
    1. Be a minimum length of eight (8) characters on all systems.
    2. Not be a dictionary word or proper name.
    3. Not be the same as the Userid.
    4. Expire within a maximum of 90 calendar days.
    5. Not be identical to the previous ten (10) passwords.
    6. Not be transmitted in the clear outside the secure location.
    7. Not be displayed when entered.

    Either way, it's a shit policy.

    link to this | view in chronology ]

    • identicon
      Jeff R, 19 Aug 2018 @ 11:35am

      Re: NIST 800-53 Control Set

      That is the older, superseded NIST guidance.

      The [new NIST guidance](https://pages.nist.gov/800-63-3/sp800-63b.html), published June 2017, does not require password categories, explicitly discourages (SHOULD NOT) arbitrary password change requirements (eg, password expiration) with forced password changes only encouraged when there is evidence that the password has been compromised.

      They also recommend that the entered password be allowed to be displayed at the request of the user (for example, when they are alone, etc) to reduce typographical errors in password entry.

      In fact, most of the recommendations they previously made have been rescinded.

      link to this | view in chronology ]

  • icon
    tom (profile), 17 Aug 2018 @ 1:12pm

    Seems we might have identified the bureaucratic lag in NJ at about 10 years as that seems to be when those password standards were last fairly current.

    And I have a deep hate for 'Security Questions'. Years ago, we had an employee leave, on good terms, from a remote office. A few months later, we had to call the ISP to change something with the account. They required the correct answer to the Security Question answered several years earlier by the recently departed employee. Ever had to guess the Favorite Restaurant of a former employee that worked in a town 50 miles away?

    link to this | view in chronology ]

  • icon
    Oblate (profile), 17 Aug 2018 @ 1:39pm

    If this is an improvement...

    I shudder to think how bad their password policy was previously. Are they trying to make it easier to break in to their systems? What's next, mandating plugging in found USB drives? Requiring mailing their passwords in plain text? Picking your password from a drop-down list instead of typing it in?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Aug 2018 @ 4:25pm

    Requiring people to create passwords that they have to write down is the opposite of security. Someone should tell my bank this too.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Aug 2018 @ 5:06pm

    I wish i could say Russia wasn't involved.

    Quote: The more arbitrary and frustrating it is, the more risky the user behavior, and the weaker the security protocol becomes.


    How in the world is an eight didgit,basic alphanumeric pascode supose to be more secure
    Makes you wonder who implemented the change in protocol and wherether or not they were bribed by or unfluenced by Russian in some manner.

    link to this | view in chronology ]

  • identicon
    NotheBrain, 17 Aug 2018 @ 5:39pm

    New Jersey password stupidity

    What could you expect for a state that has School Districts with School Boards and Superintendents but no schools in that district?

    link to this | view in chronology ]

  • identicon
    Lawrence D’Oliveiro, 17 Aug 2018 @ 6:00pm

    Writing Down Passwords Is Fine

    If you can’t remember your passwords, by all means write them down. But keep those notes safe. You know how to keep your credit cards and your keys and your cash safe from being lost or stolen, right? Just keep your passwords in the same place.

    Common sense, really.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 Aug 2018 @ 9:51pm

      Re: Writing Down Passwords Is Fine

      You know how to keep your credit cards and your keys and your cash safe from being lost or stolen, right?

      Stealing credit cards is not so useful anymore, because people will notice quickly and cancel them, plus they require PINs. It's more practical to snap a discreet photograph of the card, including security code, and sell it online.

      And in fact, people don't know how to keep their keys safe. Some people wear them fully-visible on an exposed keychain. I understand it's trendy now to post pictures of one's house keys when buying a house. Do you remember when the TSA key bitting leaked similarly? (Nevermind that one would have had millions of cheap cylinders to reverse-engineer even if it hadn't.)

      link to this | view in chronology ]

  • identicon
    Christenson, 17 Aug 2018 @ 6:48pm

    Personal password policy

    I *ASSUME* that etc/password will be stolen, and that any password under 16 or so random characters will be rendered in the clear.

    Likewise, truthful answers to secondary questions will always be discoverable and are likely to leak.

    Therefore, a 16 character random string which increments my favorite punctuation character is what I use to protect a work account, and the answers to the secondary questions are random strings kept in a little black book.

    But... dear courts, do make sure that whatever passwords are required for actually needs protection and isn’t just a public record!

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Aug 2018 @ 4:43pm

      Re: Personal password policy

      "I *ASSUME* that etc/password will be stolen, and that any password under 16 or so random characters will be rendered in the clear."

      Why not use shadow password? iirc, it is enabled by default.

      link to this | view in chronology ]

      • identicon
        Christenson, 18 Aug 2018 @ 9:23pm

        Re: Re: Personal password policy

        I meant /etc/password *or it's equivalent*.... any computer that requires you to enter a password has to keep the hash (we hope it's a hash!) somewhere to allow it to be checked. That somewhere is what I assume will be stolen.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 19 Aug 2018 @ 8:26am

          Re: Re: Re: Personal password policy

          You also assume the thief is capable of decrypting same, not that it is difficult to do but not many are willing to spend the time unless there is something of known value to be stolen from you. The time it takes to decrypt is (should be) proportional to the complexity of the password.

          link to this | view in chronology ]

          • identicon
            Christenson, 20 Aug 2018 @ 10:50am

            Re: Re: Re: Re: Personal password policy

            Umm, that complexity is exponential in the length of the password...which is why I think 16 characters (and not, say 24 or 48) is good enough.
            I started with the assumption that whatever I was protecting was valuable enough to steal. No password at all has been good enough for me on Techdirt, for example. If it's just a crap account, like a place I ask for tech support, I don't bother with password security.

            link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Muhammad Abdullah, 18 Aug 2018 @ 12:16am

    seo

    its help

    Whiteboard animation videos are very useful but it's not so easy to create you have to pay something and also your attention too.
    You can use these tools to learn making a white board animation video.
    Go Animate
    VideoScribe
    Pow Toon
    I am also sharing links that would provide you with complete learning lesson on how to make whiteboard video.
    I can create awesome and professional whiteboard animation vdieo for you in only $5 Ooppss ..! Isn't great offer ? Off course it is contact me now and i 'll start your work from now.
    Keywords are the foundation of your website content. The topic of every page and what it is about should tie directly back to a keyword or keyword phrase. Since keywords are topics, they are also prevalent when creating offers and emails.
    Keywords help visitors and potential customers understand the purpose of your page. When reading the content of the page, a visitor will often scan for the keywords they searched for.
    Keywords help search engines understand the purpose of your page. When a search engine crawls your website pages to index them it will parse the keywords on the page to determine the purpose of your pages.
    I 'll research lot of new keywords for your business which can be rank easily and you can bring your website on Google #1st page get in touch us..!


    https://www.fiverr.com/aliarslangorsi2/build-a-professional-website-for-your-business

    link to this | view in chronology ]

  • icon
    orbitalinsertion (profile), 18 Aug 2018 @ 12:57am

    I was actually very pleasantly surprised recently in receiving an email from my bank suggesting some actually good password practices. One item included something that i always do: Answer your "security questions" without any regard for the question. I was shocked, to say the least. What is your mother's maiden name? Wrenchgoingstravinskyxiexieburger.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Aug 2018 @ 7:45pm

    The next time...

    Some self-declared IT security "professional" tells you to change your password every 30 days for "security", ask them if their car is valuable to them. Then ask them if they have it re-keyed every 30 days to keep it "secure". Be prepared for their deer-in-the-headlights "stupid look".

    link to this | view in chronology ]

  • icon
    Seegras (profile), 19 Aug 2018 @ 12:36am

    I fought for years...

    ...against stupid password policies, and only recently NIST finally took over the view of us security professionals.

    Of course, some jerks didn't get the memo, didn't read contemporary publications from NIST and still think the old security theater is still sanctioned.

    link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 20 Aug 2018 @ 8:49am

    That same section of the Special Publication also says that, "Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets" because, as a NIST study noted, it tends to reduce overall security hygiene.

    This is a very important principle to remember when designing such systems: "Security at the expense of usability comes at the expense of security."

    link to this | view in chronology ]

  • identicon
    sam smith, 20 Aug 2018 @ 6:57pm

    Personal password policy

    What would be the alternative way to do this?

    link to this | view in chronology ]

  • identicon
    Voice of Reason, 30 Aug 2018 @ 6:16pm

    If the judiciary (courts) application access Federal Tax data, HIPAA data, PCI data, etc., there are various laws and regulations that require 90-day password expirations and at least 7 or 8 character passwords.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Jul 2019 @ 11:31am

    The NJ Courts can't pay enough for competence.

    The -average- salary for a Chief Information Security Officer is $157K.

    The highest non-judge salary permitted, as of this writing, is $152,622.50.

    By keeping costs down, they reduce security. Government at work.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.