!!! Overview
[{$pagename}] is an [Anti-pattern] and are concepts that have been shown to be detrimental to [Best Practices Password] and [user Experience] [1]
Complex [passwords policies|Password Policy] have proven to do more harm than good, resulting in users creating easy to remember passwords that are even easier to [hack|Attack]!
The 2019 [Verizon Data Breach Investigations Report] confirms that hackers are taking full advantage, revealing that hacking is the #1 cause of [data breaches|Data Breach] in [2019|Year 2019]. The report identifies [phishing] and the use of [stolen credentials|Compromised Credential] ([passwords]) as the top 2 hacking techniques used is successful [data breaches|Data Breach].
[Microsoft], The [National Institute of Standards and Technology] ([NIST]) and the [United States Department of Homeland Security] have drastically changed their recommendations for strong [passwords policies|Password Policy].
!! [Password Expiration]
Both [NIST.SP.800-63B], [Microsoft] and [Bruce Schneier] recommend that passwords [SHOULD NOT] be arbitrarily expired after some [interval|Password Expiration].
!! [Password Maximum Length] No LIMIT
[NIST] recommends to make it 256 the length does not matter because it's going to [hash] down to the same number of characters anyway.
!! [Password Periodic Changes]
[Password Periodic Changes] offers no increased security in most cases. [NIST] declared "__ineffective__ for others" and "[often a source of __frustration__ to users.|user Experience]"
!! The [Shared Secret]
The user is asked to give the site login names and [passwords] for another site in order for the first site to access address books, connection lists or other data kept on the second site.[1]
The [{$pagename}], in which a shared secret (the password) directly represents the party in question (the user). By sharing this secret password with applications, the user enables applications to access protected [APIs].
!! Pasting of [Passwords]
Pasting of [Passwords] was thought to be a good idea to prevent [brute-Force] [attacks] on [passwords]. All [password] login forms should have [server-Side Login throttling schemes] and allow pasting of [passwords].
[National Institute of Standards and Technology] ([NIST]) position with this statement:[1]
''[Verifiers|Password Validator] [SHOULD] permit claimants to use "paste" functionality when entering a [memorized secret|Password]. This facilitates the use of [Password Managers], which are widely used and in many cases increase the likelihood that users will choose stronger [memorized secret|Password].
''
!! [Remember Me] Checkbox
Persistent Login [Cookies] ("[Remember Me]" functionality) __are a danger zone__
! [CAPTCHA]s against humanity
[CAPTCHAs] are meant to thwart one specific category of attack: automated dictionary/[Brute-Force] trial-and-error with no human operator.
!! [Password Maximum Length]
Limiting [Password Maximum Length]
!! [Password Character Composition]
Limiting [Password Character Composition]
!! [Password Hint]s
[National Institute of Standards and Technology] ([NIST]) thinks Password Hints are a bad idea:\\
[Verifiers] [SHALL NOT] permit the subscriber to store a "hint" that is accessible to an __unauthenticated__ claimant.
! Using [Identity questions]
__Do not implement 'secret questions'__. The '[Identity questions]' feature is a security [Anti-pattern] and [Password Anti-Pattern].
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Password Anti-Pattern|http://designingsocialinterfaces.com/patterns/The_Password_Anti-Pattern|target='_blank'] - based on information obtained 2013-04-10
* [#2] - [Passwords Evolved: Authentication Guidance for the Modern Era|https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/|target='_blank'] - based on information obtained 2017-07-26-