Apparently new saner NIST CSP password recommendations are in…

devopscats's posts Post Back to profile

devopscats

3.1.1.2. Password Verifiers
7 The following requirements apply to passwords:

1. Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
2. Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
3. Verifiers and CSPs SHOULD accept all printing ASCHI [RFC20) characters and the space character in passwords.
4. Verifiers and CSPs SHOULD accept Unicode ISO/ISC 10646 characters in passwords. Each Unicode code point SHALL be counted as a single character when
evaluatine nassword lenath
5. Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
6. Verifiers and CSPs SHALL NOT require users to change passwords periodically.
However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
7. Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is
accessible to an unauthenticated claimant.
8. Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based
733
734
authentication (KBA) (e.g., "What was the name of your first pet?") or security
questions when choosing passwords.
735
9. Verifiers SHALL verify the entire submitted password (i.e., not truncate it).

Like 24 September at 23:52 | Open on toot.cat

12 comments

Maddie :patsMaddie:

@devopscats wish thank god, i hate dealing with overly complicated password rules that just lead to insecure passwords that are hard to remember

25 September at 2:06 | Open on labyrinth.zone

Frank’s Ting

@devopscats @jpm you just know there’s security experts at large corporates who may consider taking these guidelines on in about 2040

25 September at 2:07 | Open on theblower.au

Kev_Prime

@franksting @devopscats @jpm sadly, some old systems will be slow to change but all new systems should be compliant.

25 September at 2:30 | Open on infosec.exchange

Kev_Prime

@devopscats this is so nice I've gotten into discussions with old school managers who were stuck in their ways of forcing password resets.

TY NIST!

25 September at 2:29 | Open on infosec.exchange

s0: Soldering Sorceress

@devopscats stapling this to the door of the security division at work

25 September at 2:41 | Open on cathode.church

devopscats

@s0 recommend using a gauge nail gun, purely for the therapeutic value of course

25 September at 2:43 | Open on toot.cat

gkrnours

@devopscats I think these rules are recent but not new. Like I think they were already the NIST recommendation 2 years ago

25 September at 5:30 | Open on mastodon.gamedev.place

Orca🌻 | 🏴🏳️‍⚧️

@devopscats@toot.cat Finally! :nacho_cry:

25 September at 6:10 | Open on nya.one

will talk for elePHPants!

@devopscats That's in there for at.least a year if not longer. But wasn't as prominent presented in a list

25 September at 6:14 | Open on phpc.social

dee 🏳️‍⚧️

@devopscats bullet 4 is going to cause such issues for those who can't even manage the other bullet points 😂

Count emojis as a single char... Well, that's open to a lot of language specific fun

25 September at 6:33 | Open on social.treehouse.systems

europlus :autisminf:

@devopscats @robdaemon the periodic change one has been gone for a while now, thankfully.

25 September at 6:45 | Open on social.europlus.zone

Þór Sigurðsson

@devopscats #8 is 👍👍too! Microsoft is breaking that with Windows 11.

Q:"What's the name of your 1st pet?"
A:"ð0maz04p9es7nuty45p0æ7uyn5esoæl8gvuynme4o8gusyem4o8gvsuy extl8onbs7y45læo8iseum 5l8owsugyb lo4es587yguspæo349uy nbslo8eg54ryunlo8y<"

Every time.

25 September at 6:45 | Open on mast.ttk.is