format 2018 to 2020 blog posts

1 files changed, 74 insertions, 92 deletions

diff --git a/content/blog/2019-12-16-password-security.org b/content/blog/2019-12-16-password-security.org
index 5693551..aa82711 100644
--- a/content/blog/2019-12-16-password-security.org
+++ b/content/blog/2019-12-16-password-security.org
@@ -7,121 +7,103 @@
 
 ** Why Does It Matter?
 
-Information security, including passwords and identities, has become one
-of the most important digital highlights of the last decade. With
-[[https://www.usatoday.com/story/money/2018/12/28/data-breaches-2018-billions-hit-growing-number-cyberattacks/2413411002/][billions
-of people affected by data breaches each year]], there's a greater need
-to introduce strong information security systems. If you think you've
-been part of a breach, or you want to check and see, you can use
-[[https://haveibeenpwned.com/][Have I Been Pwned]] to see if your email
-has been involved in any public breaches. Remember that there's a
-possibility that a company experienced a breach and did not report it to
-anyone.
+Information security, including passwords and identities, has become one of the
+most important digital highlights of the last decade. With [[https://www.usatoday.com/story/money/2018/12/28/data-breaches-2018-billions-hit-growing-number-cyberattacks/2413411002/][billions of people
+affected by data breaches each year]], there's a greater need to introduce strong
+information security systems. If you think you've been part of a breach, or you
+want to check and see, you can use [[https://haveibeenpwned.com/][Have I Been Pwned]] to see if your email has
+been involved in any public breaches. Remember that there's a possibility that a
+company experienced a breach and did not report it to anyone.
 
 ** How Do I Protect Myself?
 
-The first place to start with any personal security check-up is to
-gather a list of all the different websites, apps, or programs that
-require you to have login credentials. Optionally, once you know where
-your information is being stored, you can sort the list from the
-most-important items such as banks or government logins to less
-important items such as your favorite meme site. You will want to ensure
-that your critical logins are secure before getting to the others.
+The first place to start with any personal security check-up is to gather a list
+of all the different websites, apps, or programs that require you to have login
+credentials. Optionally, once you know where your information is being stored,
+you can sort the list from the most-important items such as banks or government
+logins to less important items such as your favorite meme site. You will want to
+ensure that your critical logins are secure before getting to the others.
 
 Once you think you have a good idea of all your different authentication
-methods, I recommend using a password manager such as
-[[https://bitwarden.com/][Bitwarden]]. Using a password manager allows
-you to automatically save your logins, create randomized passwords, and
-transfer passwords across devices. However, you'll need to memorize your
-"vault password" that allows you to open the password manager. It's
-important to make this something hard to guess since it would allow
-anyone who has it to access every password you've stored in there.
-
-Personally, I recommend using a
-[[https://en.wikipedia.org/wiki/Passphrase][passphrase]] instead of a
-[[https://en.wikipedia.org/wiki/Password][password]] for your vault
-password. Instead of using a string of characters (whether random or
-simple), use a phrase and add in symbols and a number. For example, your
-vault password could be =Racing-Alphabet-Gourd-Parrot3=. Swap the
-symbols out for whichever symbol you want, move the number around, and
-fine-tune the passphrase until you are confident that you can remember
-it whenever necessary.
-
-Once you've stored your passwords, make sure you continually check up on
-your account and make sure you aren't following bad password practices.
-Krebs on Security has a great
-[[https://krebsonsecurity.com/password-dos-and-donts/][blog post on
-password recommendations]]. Any time that a data breach happens, make
-sure you check to see if you were included, and if you need to reset any
-account passwords.
+methods, I recommend using a password manager such as [[https://bitwarden.com/][Bitwarden]]. Using a
+password manager allows you to automatically save your logins, create randomized
+passwords, and transfer passwords across devices. However, you'll need to
+memorize your "vault password" that allows you to open the password manager.
+It's important to make this something hard to guess since it would allow anyone
+who has it to access every password you've stored in there.
+
+Personally, I recommend using a [[https://en.wikipedia.org/wiki/Passphrase][passphrase]] instead of a [[https://en.wikipedia.org/wiki/Password][password]] for your vault
+password. Instead of using a string of characters (whether random or simple),
+use a phrase and add in symbols and a number. For example, your vault password
+could be =Racing-Alphabet-Gourd-Parrot3=. Swap the symbols out for whichever
+symbol you want, move the number around, and fine-tune the passphrase until you
+are confident that you can remember it whenever necessary.
+
+Once you've stored your passwords, make sure you continually check up on your
+account and make sure you aren't following bad password practices. Krebs on
+Security has a great [[https://krebsonsecurity.com/password-dos-and-donts/][blog post on password recommendations]]. Any time that a data
+breach happens, make sure you check to see if you were included, and if you need
+to reset any account passwords.
 
 * Developers
 
 ** What Are the Basic Requirements?
 
-When developing any password-protected application, there are a few
-basic rules that anyone should follow even if they do not follow any
-official guidelines such as NIST. The foremost practice is to require
-users to use passwords that are at least 8 characters and cannot easily
-be guessed. This sounds extremely simple, but it requires quite a few
-different strategies. First, the application should check the potential
-passwords against a dictionary of insecure passwords such =password=,
-=1234abc=, or =application_name=.
-
-Next, the application should offer guidance on the strength of passwords
-being entered during enrollment. Further, NIST officially recommends
-*not* implementing any composition rules that make passwords hard to
-remember (e.g. passwords with letters, numbers, and special characters)
-and instead encouraging the use of long pass phrases which can include
-spaces. It should be noted that to be able to keep spaces within
-passwords, all unicode characters should be supported, and passwords
-should not be truncated.
+When developing any password-protected application, there are a few basic rules
+that anyone should follow even if they do not follow any official guidelines
+such as NIST. The foremost practice is to require users to use passwords that
+are at least 8 characters and cannot easily be guessed. This sounds extremely
+simple, but it requires quite a few different strategies. First, the application
+should check the potential passwords against a dictionary of insecure passwords
+such =password=, =1234abc=, or =application_name=.
+
+Next, the application should offer guidance on the strength of passwords being
+entered during enrollment. Further, NIST officially recommends *not*
+implementing any composition rules that make passwords hard to remember (e.g.
+passwords with letters, numbers, and special characters) and instead encouraging
+the use of long pass phrases which can include spaces. It should be noted that
+to be able to keep spaces within passwords, all unicode characters should be
+supported, and passwords should not be truncated.
 
 ** What Does NIST Recommend?
 
-The National Institute of Standards and Technology
-([[https://www.nist.gov][NIST]]) in the US Department of Commerce
-regularly publishes information around information security and digital
-identity guidelines. Recently, NIST published
-[[https://pages.nist.gov/800-63-3/sp800-63b.html][Special Publication
+The National Institute of Standards and Technology ([[https://www.nist.gov][NIST]]) in the US Department
+of Commerce regularly publishes information around information security and
+digital identity guidelines. Recently, NIST published [[https://pages.nist.gov/800-63-3/sp800-63b.html][Special Publication
 800-63b]]: Digital Identity Guidelines and Authentication and Lifecycle
 Management.
 
 #+begin_quote
-A Memorized Secret authenticator - commonly referred to as a password
-or, if numeric, a PIN - is a secret value intended to be chosen and
-memorized by the user. Memorized secrets need to be of sufficient
-complexity and secrecy that it would be impractical for an attacker to
-guess or otherwise discover the correct secret value. A memorized secret
-is something you know.
+A Memorized Secret authenticator - commonly referred to as a password or, if
+numeric, a PIN - is a secret value intended to be chosen and memorized by the
+user. Memorized secrets need to be of sufficient complexity and secrecy that it
+would be impractical for an attacker to guess or otherwise discover the correct
+secret value. A memorized secret is something you know.
 
 - NIST Special Publication 800-63B
 #+end_quote
 
-NIST offers a lot of guidance on passwords, but I'm going to highlight
-just a few of the important factors:
+NIST offers a lot of guidance on passwords, but I'm going to highlight just a
+few of the important factors:
 
-- Require passwords to be a minimum of 8 characters (6 characters if
-  randomly generated and be generated using an approved random bit
-  generator).
-- Compare potential passwords against a list that contains values known
-  to be commonly-used, expected, or compromised.
+- Require passwords to be a minimum of 8 characters (6 characters if randomly
+  generated and be generated using an approved random bit generator).
+- Compare potential passwords against a list that contains values known to be
+  commonly-used, expected, or compromised.
 - Offer guidance on password strength, such as a strength meter.
 - Implement a rate-limiting mechanism to limit the number of failed
   authentication attempts for each user account.
-- Do not require composition rules for passwords and do not require
-  passwords to be changed periodically (unless compromised).
-- Allow pasting of user identification and passwords to facilitate the
-  use of password managers.
+- Do not require composition rules for passwords and do not require passwords to
+  be changed periodically (unless compromised).
+- Allow pasting of user identification and passwords to facilitate the use of
+  password managers.
 - Allow users to view the password as it is being entered.
-- Use secure forms of communication and storage, including salting and
-  hashing passwords using a one-way key derivation function.
-
-NIST offers further guidance on other devices that require specific
-security policies, querying for passwords, and more. All the information
-discussed so far comes from
-[[https://pages.nist.gov/800-63-3/sp800-63b.html][NIST SP800-63b]] but
-NIST offers a lot of information on digital identities, enrollment,
-identity proofing, authentication, lifecycle management, federation, and
-assertions in the total [[https://pages.nist.gov/800-63-3/][NIST
-SP800-63 Digital Identity Guidelines]].
+- Use secure forms of communication and storage, including salting and hashing
+  passwords using a one-way key derivation function.
+
+NIST offers further guidance on other devices that require specific security
+policies, querying for passwords, and more. All the information discussed so far
+comes from [[https://pages.nist.gov/800-63-3/sp800-63b.html][NIST SP800-63b]] but NIST offers a lot of information on digital
+identities, enrollment, identity proofing, authentication, lifecycle management,
+federation, and assertions in the total [[https://pages.nist.gov/800-63-3/][NIST SP800-63 Digital Identity
+Guidelines]].