Toward Better Password Requirements

Explore the evolving landscape of password security in this 57-minute conference talk from BSidesLV 2016. Delve into Jim Fenton's insights on improving password requirements, covering topics such as the SP 800-63-3 update, guiding principles, and standards language. Learn about crucial aspects of password management, including maximum length, character sets, composition rules, and dictionary usage. Examine the implications of verifier storage, secret display practices, and memorized secret expiration. Gain understanding of pre-registered knowledge, out-of-band authenticators, and the role of biometrics in modern authentication. Engage with the ongoing conversation surrounding password security and discover strategies for implementing more effective password policies.

Intro
Disclaimer
A little about SP 800-63
The SP 800-63-3 update
Guiding principles
Standards language
What's in and out in 2016?
Maximum length
Space characters
Character set
Hints and prompts
Throttling
Composition
Dictionaries: questions
Dictionary investigation
Dictionaries: takeaways
Verifier storage
Displaying secrets
Memorized Secret expiration
Pre-registered knowledge
Out of Band authenticator
SMS as OOB authenticator
Biometrics
Join the conversation