Recent searches
Search options
While I'm in there anyway, here are some nuggets from NIST SP 800-63B, section 5, "Authenticator and Verifier Requirements", aka password requirements:
5.1.1.1 Memorized Secret Authenticators. "Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and MAY be entirely numeric. [...] No other complexity requirements for memorized secrets SHOULD be imposed."
5.1.1.2 Memorized Secret Verifiers
[Password hints suck. Denying bad passwords like ‘aaaaaa’ is fine. Rate limit logins.]
"Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.”
Also, and this is key:
"Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”
If you come anywhere near authentication services for a living, you must read NIST 800-63B (https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63b.pdf). It’s very clear, readable, and useful. And if you require wildly complex passwords, or disable pasting them into web forms, or make users rotate them, you’re violating government standards and best practices. Stop that!
@tek Did some QA for Google back in the day.
The vendor I worked for had a 90-day password recycling policy (and of course, you could not use an old one.) If you wanted it recovered, you had to call a phone line that would email a PDF of a screencap of your temporary password. (Which I couldn't see, naturally)...
My work email from google (the one I actually used) had none of these restrictions.
There is a lesson here, but no one was inclined to learn it.