feat: total re-write from Emacs org-mode to Zola markdown

1 files changed, 0 insertions, 107 deletions

diff --git a/blog/2019-12-16-password-security.org b/blog/2019-12-16-password-security.org
deleted file mode 100644
index 2b1712c..0000000
--- a/blog/2019-12-16-password-security.org
+++ /dev/null
@@ -1,107 +0,0 @@
-#+date: 2019-12-16
-#+title: Password Security
-
-* Users
-
-** Why Does It Matter?
-
-Information security, including passwords and identities, has become one of the
-most important digital highlights of the last decade. With [[https://www.usatoday.com/story/money/2018/12/28/data-breaches-2018-billions-hit-growing-number-cyberattacks/2413411002/][billions of people
-affected by data breaches each year]], there's a greater need to introduce strong
-information security systems. If you think you've been part of a breach, or you
-want to check and see, you can use [[https://haveibeenpwned.com/][Have I Been Pwned]] to see if your email has
-been involved in any public breaches. Remember that there's a possibility that a
-company experienced a breach and did not report it to anyone.
-
-** How Do I Protect Myself?
-
-The first place to start with any personal security check-up is to gather a list
-of all the different websites, apps, or programs that require you to have login
-credentials. Optionally, once you know where your information is being stored,
-you can sort the list from the most-important items such as banks or government
-logins to less important items such as your favorite meme site. You will want to
-ensure that your critical logins are secure before getting to the others.
-
-Once you think you have a good idea of all your different authentication
-methods, I recommend using a password manager such as [[https://bitwarden.com/][Bitwarden]]. Using a
-password manager allows you to automatically save your logins, create randomized
-passwords, and transfer passwords across devices. However, you'll need to
-memorize your "vault password" that allows you to open the password manager.
-It's important to make this something hard to guess since it would allow anyone
-who has it to access every password you've stored in there.
-
-Personally, I recommend using a [[https://en.wikipedia.org/wiki/Passphrase][passphrase]] instead of a [[https://en.wikipedia.org/wiki/Password][password]] for your vault
-password. Instead of using a string of characters (whether random or simple),
-use a phrase and add in symbols and a number. For example, your vault password
-could be =Racing-Alphabet-Gourd-Parrot3=. Swap the symbols out for whichever
-symbol you want, move the number around, and fine-tune the passphrase until you
-are confident that you can remember it whenever necessary.
-
-Once you've stored your passwords, make sure you continually check up on your
-account and make sure you aren't following bad password practices. Krebs on
-Security has a great [[https://krebsonsecurity.com/password-dos-and-donts/][blog post on password recommendations]]. Any time that a data
-breach happens, make sure you check to see if you were included, and if you need
-to reset any account passwords.
-
-* Developers
-
-** What Are the Basic Requirements?
-
-When developing any password-protected application, there are a few basic rules
-that anyone should follow even if they do not follow any official guidelines
-such as NIST. The foremost practice is to require users to use passwords that
-are at least 8 characters and cannot easily be guessed. This sounds extremely
-simple, but it requires quite a few different strategies. First, the application
-should check the potential passwords against a dictionary of insecure passwords
-such =password=, =1234abc=, or =application_name=.
-
-Next, the application should offer guidance on the strength of passwords being
-entered during enrollment. Further, NIST officially recommends *not*
-implementing any composition rules that make passwords hard to remember (e.g.
-passwords with letters, numbers, and special characters) and instead encouraging
-the use of long pass phrases which can include spaces. It should be noted that
-to be able to keep spaces within passwords, all unicode characters should be
-supported, and passwords should not be truncated.
-
-** What Does NIST Recommend?
-
-The National Institute of Standards and Technology ([[https://www.nist.gov][NIST]]) in the US Department
-of Commerce regularly publishes information around information security and
-digital identity guidelines. Recently, NIST published [[https://pages.nist.gov/800-63-3/sp800-63b.html][Special Publication
-800-63b]]: Digital Identity Guidelines and Authentication and Lifecycle
-Management.
-
-#+BEGIN_QUOTE
-A Memorized Secret authenticator - commonly referred to as a password or, if
-numeric, a PIN - is a secret value intended to be chosen and memorized by the
-user. Memorized secrets need to be of sufficient complexity and secrecy that
-it would be impractical for an attacker to guess or otherwise discover the
-correct secret value. A memorized secret is something you know.
-
-- NIST Special Publication 800-63B
-#+END_QUOTE
-
-NIST offers a lot of guidance on passwords, but I'm going to highlight just a
-few of the important factors:
-
-- Require passwords to be a minimum of 8 characters (6 characters if randomly
-  generated and be generated using an approved random bit generator).
-- Compare potential passwords against a list that contains values known to be
-  commonly-used, expected, or compromised.
-- Offer guidance on password strength, such as a strength meter.
-- Implement a rate-limiting mechanism to limit the number of failed
-  authentication attempts for each user account.
-- Do not require composition rules for passwords and do not require passwords to
-  be changed periodically (unless compromised).
-- Allow pasting of user identification and passwords to facilitate the use of
-  password managers.
-- Allow users to view the password as it is being entered.
-- Use secure forms of communication and storage, including salting and hashing
-  passwords using a one-way key derivation function.
-
-NIST offers further guidance on other devices that require specific security
-policies, querying for passwords, and more. All the information discussed so far
-comes from [[https://pages.nist.gov/800-63-3/sp800-63b.html][NIST SP800-63b]] but NIST offers a lot of information on digital
-identities, enrollment, identity proofing, authentication, lifecycle management,
-federation, and assertions in the total [[https://pages.nist.gov/800-63-3/][NIST SP800-63 Digital Identity
-Guidelines]].