That list makes for a nice slidedeck but the separation (like many things in tech) isn't as clear cut as the metaphor.
"Something you know" (password) becomes "something you have" as soon as you store/autogenerate/rotate those passwords in a manager (which is highly recommended).
"Something you have" in the form of a hw key is still that device generating a key (password) that device/browser APIs convey to the service in the same way as any other password.
"Something you are" is a bit different due to the algorithms used to match biometric IDs but given that matching is less secure than cryptographic hash functions - this factor is only included in the list for convenience reasons.
The breakdown of this metaphor is one of the reasons passkeys are seen as a good thing.
Not sure what you mean, it's still a second unique token that an attacker would need to know to access my account, so it's improving my security even when stored in my password manager. This was in response to grandparent's opinion that it's "at best a reduction in security".
I'm not talking about my password vault getting breached, in that case I'd be fucked either way.
> I'm not talking about my password vault getting breached, in that case I'd be fucked either way.
But that's the whole point. If your password vault is breached, the second factor is what prevents you from being fucked. That's why putting your seeds in the vault is a reduction in security. It may be a reduction/risk that you're willing to take for convenience, but it's still a reduction.
This has been in their guidance since at least 2017.
"Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator"
Also worth pointing out that NIST doesn't set policy, so unfortunately this doesn't directly "forbid" anything, though many other policies reference 800-63.
"Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. "
The only employer I've had which had a dumb rotation rule was of course a huge American Credit Reference Agency which due to ordinary incompetence lost a lot of people's personal information.
These days I work in tertiary education, so there's a complete spectrum from people who probably have memorised a unique sixteen alphanumerics password twenty years ago to folks who needed a service desk worker to help them walk through resetting after having forgotten their password was the name of one of Henry VIII's wives. And there's likewise a spectrum between "I hand-built this optical splitter and splice so that I could steal the exam answers without any trace on the network" and "I wrote the formulae on my thigh in permanent marker and then wore a skirt with a big slit down one side" in terms of the technical sophistication of attacks.
Edited to add: When I did work for the CRA with the rotation rule I would write down each of the passwords in columns in the back of my log book since otherwise I might forget one and that was a huge pain to get reset, it's just not realistic to memorize "random" values you'll have to replace frequently. And of course they had two "Single" Sign On systems because of warring management, so that's two passwords to rotate.
It’s because the CIO or whomever is running the show is a relic from the 1990s. I can tell a lot about a company by their password policies. There also seems to a direct correlation to silly password and “security” policies and the usage of Microsoft products such as Teams and Outlook.
> It’s because the CIO or whomever is running the show is a relic from the 1990s.
More often, it's because the "cybersecurity insurance" is a shitshow. When you as a CIO deviate from their requirements and get 0wned, you're getting stuck with the bill.
I've found it commonplace these days at least in europe that organisations use SSO via an identity provider that requires MFA for everything they can - even clients who are banks and utilities that usually move at a glacial pace.
The last time I worked anywhere with periodic password change was 8 years ago and they were phasing it out. The same place would reset your password to Monday123 if you got locked out (whether you needed a password reset or not) and forget to set the "force change" flag.
Yes. My very large employer hasn't required me to change my password in over two years. But at the same time, 2FA requirements have changed to more secure forms (going from having to select one of 3 numbers on a prompt to having to type in the number, for example), and some resources can only be accessed using a hardware key or even a special laptop.
I've encountered situations where the requirement to rotate passwords was obligated by contractual agreements. For instance, this is still the published guidance documentation on the HHS website for HIPAA compliance (https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/ad...):
> Covered entities must train all users and establish
> guidelines for creating passwords and changing them
> during periodic change cycles.
If you have a contract that deals in HIPAA related information, you might be contractually obligated by the entity subject to HIPAA to have password rotations so that they can check the right boxes for compliance. Even though HIPAA isn't supposed to dictate specifics, I sure would't want to be the person that has to explain why they didn't have password rotations in a HIPAA breach report, not matter what NIST said people "should" do. Because between a NIST "should" and the document labeled "HIPAA Security Series" and "Security Standards", in the middle of a shit storm, I wouldn't be counting on folks appreciating the nuances between the two.
From the employer POV, employees cannot be trusted to discover their passwords are compromised, so updating them limits the duration the leaked password works.
{"ad":"Looking for someone to do yard work. Must have a hoolahoop. 760-555-7562","iseven":true}
{"ad":"FOR SALE - collection of old people call 253-555-7212","iseven":true}
{"ad":"Auto Repair Service: Free pick-up and delivery. Try us once, you'll never go anywhere again. Email dave57@qotmail.com","iseven":true}
$ curl https://api.isevenapi.xyz/api/iseven/9999999
{"error":"Number out of range. Upgrade to isEven API Premium or Enterprise."}
$ curl https://api.isevenapi.xyz/api/iseven/2e21
{"error":"what is this I don't even"}
Whoops, fixed and fixed! And regression tests added.
I had made a silly, silly mistake when I went to restrict numbers longer than 7 digits from the "free plan", I had at the same time disallowed digits larger than 7 as being "valid digits", so anything with an 8 or a 9 had been "invalid".
These come in handy in an instructional context—being able to have a simple predictable API that you can point students at so they can learn how to call an API and process its data.
Young-ish cancer survivor here. I would add "9a. Don't ever go to a tanning salon" to this list, per my oncologist. There are genetic factors that caused my cancer, so naturally I was worried about recurrence. Her comments to me? "Do you smoke? No? Good. Don't start. Do you visit tanning salons? No? Good. Don't start." The rest falls into "trying to live a moderately healthy lifestyle". Oh, and definitely #6. If something doesn't seem/look/feel right then have a doctor check it out.
I’ve often wondered if the higher vitamin D we get from the sun or even tanning beds outweighs the risks from melanoma. Low vitamin D is a big risk factor in the modern world.
> Therefore, we rebut these conclusions by addressing the incomplete analysis of the adverse health effects of UV and sunbed exposure (what is ‘safe’?) and the censored representation of beneficial effects, not only but especially from vitamin D production. The stance taken by both agencies is not sufficiently supported by the data and in particular, current scientific knowledge does not support the conclusion sunbed use increases melanoma risk.
The first article merely shows that the use of tanning beds is one way to raise vitamin D levels. The second tries to make vitamin D an issue, but to show that there is a case for raising vitamin D levels in a nontrivial part of the population, it relies on studies which show that supplementation via pills is beneficial! It is one thing to say that there is no good evidence for tanning beds increasing melanoma risk (a claim that I am in no position to either endorse or dispute), but I regard it as tendentious for the authors to raise the vitamin D issue when no evidence is presented to show that tanning beds are any better at doing this than simple supplementation - it is like saying that one of the benefits of chemically treating the water supply is that dehydration is bad for you.
It is known that vitamin D is best obtained from sunlight. I was once at a dinner and sitting with the head of the office for supplements for the United States and asked him how much vitamin D someone should get. His answer was quite simple, get it from sunlight. The skin autoregulates vitamin D dosage that way.
>Thus when the skin is exposed to sunlight it can only convert approximately 15% of 7-dehydrocholesterol to previtamin D3 (Fig. 18).32 Any further exposure will result in a photoequilibrium whereby previtamin D3 is converted into lumisterol3 and tachysterol3 as well as revert back to 7-dehydrocholesterol (Fig. 17). In addition when vitamin D3 is made from previtamin D3 in the skin if it is exposed to solar UVB radiation it will absorb UVB radiation and be converted into several suprasterols and 5,6-trans-vitamin D3 (Figs. 17 and and19).19). In addition previtamin D3 can also be converted to several toxisterols (Fig. 20).33-36 Therefore no matter how much sun a human is exposed to vitamin D intoxication will not occur because any excess previtamin D3 and vitamin D3 is photodegraded into products that have no calcemic activity.31,32
No doubt, but it is an empirical fact that this is not working too well for a nontrivial number of people - and if it were working well, there would still be no reason to bring up the issue in the article about sunbeds, especially as no evidence for vitamin D intoxication being a difficult-to-avoid problem in practice was presented either in that article or above. If sunlight is the optimal solution, then outdoor activity is better for you than lolling on a sunbed.
I am a case in point: I am frequently outdoors in all seasons, well beyond the point where I have to be careful to avoid sunburn, yet I have a significant all-seasons vitamin D deficiency. The conclusion of the abstract to the article you link to says "a three-part strategy of increasing food fortification programs with vitamin D, sensible sun exposure recommendations and encouraging ingestion of a vitamin D supplement when needed should be implemented to prevent global vitamin D deficiency and its negative health consequences" [my emphasis.]
To get enough vitamin D you need ~10 minutes a day[1] in direct sunlight with 25% skin exposed.
> In spring and summer, 25 percent of the body (the hands, face, neck and arms) is exposed to the sun, and in these seasons, about 8 to 10 minutes of sun exposure at noon produces the recommended amount of vitamin D.
At noon, in summer, in Spain. And probably 25% of your skin needs to be hit by direct perpendicular sunlight, and not just be exposed. In any case, don’t assume, go measure your Vitamin D levels.
Sunlight intensity varies greatly. Depending on where you live, season and cloudiness, you may only get a small fraction of the amount implied above. Again, there is no substitute for measuring your levels. Speaking from experience.
Anecdata-point: In the summer I regularly run for hours at a time (marathon training), without a shirt and without sunscreen. (I've got a good tan which seems to keep me from getting sunburned.) And yet I regularly test as low Vitamin D. A daily Vitamin D supplement suffices to keep the numbers in range.
I assume that this is a personal thing, something about my specific metabolism or skin or whatever that doesn't produce vitamin D particularly well. I have no idea if the supplement actually improves my health outcome -- I was generally healthy both before and after adding supplements.
My advice, such as it is: don't take any supplement without a doctor telling you it's needed. But if a doctor says it's necessary, yeah, do that.
Arguably, I think exercise should be #1. EDIT: Assuming they are ordered, otherwise ignore me.
Cancer is about 20% of your chance of death. Intuitively exercise helps with many things on this list. The other (roughly) 25% is cardiovascular/cerebrovascular events. For that, the best thing you can do is exercise. https://news.ycombinator.com/item?id=18264323
Also, several types of preventable cancer are caused by the Human Papilloma Virus (HPV). Get vaccinated for it. Although this virus is primarily associated with cervical cancer, men should be vaccinated for it as well since it can cause penile, oral, anal, and other cancers.
I'm not an oncologist. But I'm married to one. So she tells me these rules on an almost daily basis. Also, many of her cancer patients don't make it - and then she tells me - this person didn't make it because he/she broke this rule #xyz in that list.
I mean, ok, I get it. I work in ML in an enterprise. So everyday we have our usual litany of complaints. This item is not ranked correctly. Boosting isn't working on that item. Human overrode the item recommendation and now the faceting is broken. Search is running out of memory. P2 alert!!! program crashed and we are losing $10000 per hour wake up the programmers in the middle of the night...
So I can also play this rule game.
1. Don't use computer.
2. If you must use computer, don't program.
3. If you must program, please let it not be in Java.
4. If it is Java, please don't call Python ML code from it.
5. Better yet, don't use ML at all if you have humans overriding recs.
6. Don't cache everything to reduce latency. You'll run out of memory.
7. If you run out of memory don't wake up the fucking programmer in the middle of the night when he's trying to get some action.
and so on...I mean, what purpose does it serve ? You can't get programmers in 2024 to stop using hadoop and sprintboot and whatever ancient enterprisecrap. You expect to get Americans to eat less meat, drink less, maintain healthy weight ? With an official obesity rate of 39%, the non-cookedup version hovering in the 70s ? Fat chance.
The factors are:
- Something you know
- Something you have
- Something you are (biometrics)