Added reference to NIST password creation guidelines.

This commit is contained in:
Douglas Muth 2021-11-22 12:08:54 -05:00
parent a08b287501
commit cd0ac120a1

View file

@ -216,6 +216,14 @@ because all BitCoin nodes have a copy of the BitCoin Ledger, and an attacker
<a href="https://umanovskis.se/blog/post/leaky-faucet/">could attempt password cracking your wallet</a>.
<h3>FAQ: Should I add numbers or an exclamation point to my password?</h3>
No, don't do that. The short answer is than length makes your password more secure than special characters do. But don't take it from me, <a href="https://www.engadget.com/2017-08-08-nist-new-password-guidelines.html">take it from the man who put us through password hell</a> and regrets every minute of it.
</p>
The NIST has since released new password creation guidelines in a document which is rather lengthly, <a href="https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/">but summarized nicely here</a>.
<h3>"I can't believe you're sending passwords over the Internet!"</h3>
<a href="dude-chill-just-chill.gif">Chill</a>. I'm not. Passwords are generated within your browser and do not leave it (unless you copy them out yourself).
@ -226,8 +234,7 @@ because all BitCoin nodes have a copy of the BitCoin Ledger, and an attacker
Yes, insofar as we're using the
<a href="https://developer.mozilla.org/en-US/docs/Web/API/RandomSource/getRandomValues">getRandomValues() function in Javascript</a>,
and you trust that your
browser and computer have not been compromised or otherwise tampered with. Keep in mind that a not-so-theoretical attack
would be for an attacker to compromise the random number generator on your computer so that
browser and computer have not been compromised or otherwise tampered with. Keep in mind that a not-so-theoretical attack would be for an attacker to compromise the random number generator on your computer so that
anything that is encrypted (or passkeys generated) would be suspectible to less intense cryptoanalysis.