New password advice from NIST

If you’ve created an account on any service or web site in the last decade and a half, there’s a good chance you encountered some annoying password rules. The ones that insist on the use of mixed case letters, numbers, and punctuation.

NIST logoThose weird rules started appearing after 2003, when the US National Institute of Standards and Technology (NIST) published a document entitled Electronic Authentication Guidelines (SP 800-63), which included a set of recommendations for password security. If you’re interested, there’s an archived version of the document (PDF), with slightly updated content (Ver. 1.0.1), on the NIST site.

The Electronic Authentication Guidelines document includes recommendations for ensuring the strength of user-created passwords:

  • require a minimum of 8 character passwords, selected from an alphabet of 94 printable characters;
  • require at least one upper case letter, one lower case letter,
    one number and one special character;
  • prevent subscribers from including common words;
  • prevent permutations of the username as a password; and
  • force frequent password changes.

Users faced with these password-creation rules found ways to work around them, and in the process ended up with less secure passwords. Many users modified their existing passwords in very predictable ways, which made the work of guessing passwords much easier.

The author of those password rules now regrets much of what he said in that 2003 document: “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.” A new version of the NIST document eliminates many of the original recommendations.

NIST now recommends using long passphrases instead of complex passwords, as described in this classic xkcd comic: ‘correct horse battery stapler’ instead of ‘Tr0ub4dor&3’.

NIST’s new recommendations to site and service providers include eliminating requirements for the use of any particular type of character, eliminating password expiry rules, allowing passwords up to 64 characters long, and allowing the use of the clipboard in password fields.

The new rules make a lot of sense. Combined with the use of a good password manager, and remembering to avoid password re-use, they should make anyone who uses them much safer online.



Windows 10 Pro for Workstations

Microsoft WindowsSince the release of Windows 10, Microsoft has received feedback from certain users, to the effect that the O/S doesn’t meet the “demanding needs of mission critical and compute intensive workloads.” It either doesn’t detect, or simply doesn’t use the capabilities of some types of high-performance hardware.

Microsoft’s answer to that feedback is Windows 10 Pro for Workstations, which will become available for testing soon, via the Insider Preview program.

The new version of Windows 10 includes the ReFS filesystem, which is supposed to be much more resilient than the NTFS filesystem used by standard Windows. It also includes support for non-volatile NVDIMM-N memory modules, which provide high-speed access to files. SMB Direct provides a faster file sharing mechanism. There’s also more support for high performance hardware, including server-grade Intel Xeon and AMD Opteron processors, up to four CPUs (regular Windows is limited to two) and memory up to 6TB (regular Windows is limited to 2TB).

High-end system builders, and people running high-performance niche applications may find these features useful, but I suspect that most people won’t be interested, especially as the new version is likely to be rather expensive, as is the related hardware.

There’s no word yet on whether privacy-related instrumentation will be any easier to disable in Windows 10 Pro for Workstations, or whether system administrators will be able to control which updates are installed, or disable auto-update completely.

Vivaldi 1.11

The latest version of Vivaldi includes numerous bug fixes, as well as useful improvements to Reader Mode, and a setting for disabling animated GIFs. It also sports a new icon.

None of the bug fixes in Vivaldi 1.11 are related to security, so this isn’t a particularly urgent update. To update Vivaldi, click its menu icon, then Help > Check for updates...

Firefox 55

Besides fixing twenty-nine security vulnerabilities, Firefox 55 adds support for the virtual reality technology WebVR, some new performance-related settings, and improvements to address bar functionality. The sidebar can now be on the right side of the browser, instead of only on the left. The Print Preview function now includes options for simplifying what’s printed. Starting Firefox with multiple tabs is now much faster. The Flash plugin is now ‘click to activate’ and only works with regular web and secure web URLs.

The default installation process has been modified, to simplify and ‘streamline’ installation for most users. Traditional, full installers are still available. The somewhat-less-likely-to-crash 64-bit version of Firefox is now installed by default on 64-bit systems with at least 2 GB of RAM.

Mozilla steadfastly refuses to mention version numbers in Firefox release announcements (including the one for Firefox 55), or to announce all new versions. Their rationale seems to be that the information exists somewhere, therefore they have done their job. Combined with the unpredictability of Firefox’s internal update mechanism, this is an ongoing frustration for some users (possibly only me).

On that subject, I’m still waiting for my installation of Firefox to notice that a new version is available. Firefox 55 includes changes to the browser’s built-in update process, but it’s not clear whether those changes will actually improve things. From the release notes: “Modernized application update UI to be less intrusive and more aligned with the rest of the browser. Only users who have not restarted their browser 8 days after downloading an update or users who opted out of automatic updates will see this change.

Update 2017Aug13: According to denizens of Mozilla’s official #firefox IRC channel, the Firefox update servers have been disabled because of some problems with Firefox 55. Of course, Firefox will continue to tell you that “Firefox is up to date”, which can mean several different things. There’s no word on when the update servers will be back online, or what the problems are, but a search of the bug list for Firefox shows a likely candidate: Tabs are all restored as blank frequently after restart of [sic] applying Firefox 55 update. Apparently after upgrading to Firefox 55, some users are having problem restoring tabs, and in some cases, profile information is lost. Recommendation: don’t jump the gun and install Firefox 55 manually. Wait for the next version, which will likely be 55.0.1 or 55.0.2.

Update 2017Aug15: A new post on the Mozilla blog (64-bit Firefox is the new default on 64-bit Windows) confirms that 64-bit Firefox is now the default for 64-bit Windows systems, and that the 64-bit version is much more stable than its 32-bit equivalent. It goes on to say that to get the 64-bit version, you can either download and install it manually, or “You can wait. We intend to migrate the remaining 64-bit Windows users to a 64-bit version of Firefox with a future release.” No word on just how long we’ll have to wait.

Update 2017Aug17: Today, my install of Firefox started showing 55.0.2 as the latest version on its Help > About dialog. I went ahead and let it update itself, and now I’m running the 32 bit version of 55.0.2. According to the release notes, Firefox 55.0.1 fixes the bug in the tab restoration process that was introduced in 55.0. Firefox 55.0.2 fixes a problem with profiles that was introduced in 55.0.

Patch Tuesday for August 2017

It’s once again time for the monthly headache otherwise known as Patch Tuesday.

As you’re no doubt aware from my previous whining, Microsoft no longer publishes a bulletin for each update, and finding useful information in the Security Update Guide is awkward at best. It feels like Microsoft is trying to get everyone to just give up and enable auto-update. Of course with Windows 10 you no longer have a choice: you get updates when Microsoft wants you to have them. Which is one of the reasons I don’t use that particular O/S.

From my analysis of the Security Update Guide‘s entries for August 2017, it appears that we have thirty-nine updates, addressing fifty-three vulnerabilities in Internet Explorer, Edge, Windows, SharePoint, Adobe Flash Player, and SQL Server. Eighteen of the updates are flagged as Critical. Time to fire up Windows Update on all your Windows 8.1 and Windows 7 computers.

Adobe released updates for Flash and Reader today. The Reader update (Reader DC/Continuous: 2017.012.20093; Reader 2017: 2017.011.30059; Reader DC/Classic: 2015.006.30352) addresses sixty-seven vulnerabilities. The Flash update (version addresses two vulnerabilities. Anyone still using Flash or Reader, especially as web browser plugins, should install the new versions as soon as possible.

Flash will plague us no longer… after 2020

Flash was a useful gadget at one time. Used by everyone to play animation, games, and other multimedia content, it was on almost every Windows PC and many mobile devices.

At some point, unknown persons took it upon themselves to determine whether this ubiquitous chunk of software had any weaknesses. And boy, were they rewarded. Flash has, at times, seemed like a bottomless well of security vulnerabilities. No sooner was one hole closed, than another was revealed.

Adobe's efforts to fix Flash

In hindsight, one wonders whether Adobe could have saved Flash with a major, security-focused rewrite. But that’s not what happened. Instead, Adobe kept up the little Dutch boy act, plugging each hole as it was discovered. During this time, Adobe’s updates to Flash sometimes seemed to create more problems than they solved.

Which brings us to the present. The major web browsers have either already dumped support for Flash, or are in the process of doing so. According to Adobe, Flash is still scheduled for its trip behind the woodshed in 2020. Prior to its final exit, Flash will gradually disappear from most of its remaining hiding places.

What remains of Flash will exist in systems that are not easily updated: A/V and advertising kiosks, PCs in business and industry running old versions of Windows, and a few dying phones.

That just leaves one question: what’s the next piece of software that will drive us crazy with terrible security and endless updates?

Peter Bright is a bit sad about the impending demise of Flash.

Brian Krebs provides some additional details.