{"id":64943,"date":"2024-09-26T22:55:57","date_gmt":"2024-09-27T02:55:57","guid":{"rendered":"http:\/\/pappp.net\/?guid=3b3b9c479fdca72ad94fb42cf5335495"},"modified":"2024-09-27T10:03:56","modified_gmt":"2024-09-27T14:03:56","slug":"nist-recommends-some-common-sense-password-rules","status":"publish","type":"post","link":"https:\/\/pappp.net\/?p=64943","title":{"rendered":"NIST Recommends Some Common-Sense Password Rules"},"content":{"rendered":"

Source: Schneier on Security<\/a><\/p>\n

Article note: Let's hope some fuckers start following this advice, because we're currently in an age of \"You have to regularly change your password following rules so arcane you have to carefully construct a password to comply with them, then two-factor with some bullshit third party that frequently doesn't work.\"<\/div>

NIST’s second draft of its “SP 800-63-4<\/a>“—its digital identify guidelines—finally contains some really good rules about passwords:<\/p>\n

The following requirements apply to passwords:<\/p>\n

    \n
  1. lVerifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.\n<\/li>
  2. Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.\n<\/li>
  3. Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.\n<\/li>
  4. Verifiers and CSPs SHOULD accept Unicode [ISO\/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a signgle character when evaluating password length.\n<\/li>
  5. Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.\n<\/li>
  6. Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.\n<\/li>
  7. Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.\n<\/li>
  8. Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.\n<\/li>
  9. Verifiers SHALL verify the entire submitted password (i.e., not truncate it).<\/li><\/ol>\n<\/blockquote>\n

    Hooray.<\/p>\n

    News article<\/a>.Shashdot thread<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"

    NIST\u2019s second draft of its \u201cSP 800-63-4\u201c\u2014its digital identify guideli…<\/p>\n

    Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[226],"tags":[],"class_list":["post-64943","post","type-post","status-publish","format-standard","hentry","category-news-2"],"_links":{"self":[{"href":"https:\/\/pappp.net\/index.php?rest_route=\/wp\/v2\/posts\/64943","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pappp.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pappp.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pappp.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pappp.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=64943"}],"version-history":[{"count":0,"href":"https:\/\/pappp.net\/index.php?rest_route=\/wp\/v2\/posts\/64943\/revisions"}],"wp:attachment":[{"href":"https:\/\/pappp.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=64943"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pappp.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=64943"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pappp.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=64943"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}