• 0 Posts
  • 24 Comments
Joined 1 year ago
Cake day: July 2nd, 2023
  • Hasherm0n@lemmy.worldtomemes@lemmy.worldI am going to violate the Geneva convention
    8·
    3 months ago

    What you want is NIST 800-63b https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret

    Specifically sections 5.1.1.1 and 5.1.1.2.

    Excerpt from 5.1.1.2 pertaining to complexity and rotation requirements:

    Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

    Appendix A of the document contains their reasoning for changing from the previous common wisdom.

    The tl;dr of their changes boil down to length is more important than any other factor when it comes to password security.

    Edit to add:

    In my personal opinion, organizations should be trying to move away from passwords as much as possible. If your IT team seems to think this system is so important that they need to rotate passwords every month, they should probably be transitioning to hardware security tokens, passkeys, or worst case, password with non-sms MFA.

    Now I know nothing about the actual circumstances and I know there are plenty of reasons why that may not be possible in this specific case, but I’d feel remiss if I didn’t mention it.

  • Hasherm0n@lemmy.worldtomemes@lemmy.worldI am going to violate the Geneva convention
    23·
    3 months ago

    Any organization still doing this is a decade behind best practices. NIST published new recommendations years ago that specified getting rid of the practice of regular forced password resets specifically because they encourage bad practices that make passwords weaker.

    Of course it doesn’t help that there are some industry compliance standards that have refused to update their requirements, but I don’t know of any that would require monthly password changes.

  • Hasherm0n@lemmy.worldtoNews@lemmy.worldDonors raise $233,000 to give US cart pusher, 90, chance at retirement
    3·
    6 months ago

    I worked at a grocery store in 2003 in California for a short time. I joined just after a major strike had ended. As always, the company was pushing for lower wages and benefits, the union wanted higher. They came to an agreement with a two tiered system, tenured employees got to stick with a pay scale and benefits slightly better than what they’d had before.

    New employees got fucked.

    A couple months in I was promoted to cashier from bagger and got to see the two tiers. I was starting at $18 per hour, the original tier started at more than double that and went up pretty high.

    Not really related to your comment, but I’m a little drunk after a rough day and seeing those amounts just really fucking pisses me off. My numbers are not adjusted for inflation and wages have gone down for the job I did in the last 20 years. It’s fucking maddening.

  • Hasherm0n@lemmy.worldtoTechnology@lemmy.worldTo buy no longer means anything :(English
    91·
    8 months ago

    I never even received an email. I haven’t touched Minecraft in years, probably never would have again, but my daughter is getting into it and I thought it would be fun to play with her. I found out about the migration when trying to troubleshoot why I couldn’t log in.

    I tried to contact support and they told me that they had “widely communicated the migration through email and social media” and that because I had missed the migration window, I would simply have to buy a new copy. I double and triple checked. No emails regarding the migration and I’m not on social media.