Email or username:

Password:

Forgot your password?
devopscats

Apparently new saner NIST CSP password recommendations are in…

3.1.1.2. Password Verifiers
7 The following requirements apply to passwords:

1. Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
2. Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
3. Verifiers and CSPs SHOULD accept all printing ASCHI [RFC20) characters and the space character in passwords.
4. Verifiers and CSPs SHOULD accept Unicode ISO/ISC 10646 characters in passwords. Each Unicode code point SHALL be counted as a single character when
evaluatine nassword lenath
5. Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
6. Verifiers and CSPs SHALL NOT require users to change passwords periodically.
However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
7. Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is
accessible to an unauthenticated claimant.
8. Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based
733
734
authentication (KBA) (e.g., "What was the name of your first pet?") or security
questions when choosing passwords.
735
9. Verifiers SHALL verify the entire submitted password (i.e., not truncate it).
12 comments
Maddie :patsMaddie:
@devopscats wish thank god, i hate dealing with overly complicated password rules that just lead to insecure passwords that are hard to remember
Frank’s Ting

@devopscats @jpm you just know there’s security experts at large corporates who may consider taking these guidelines on in about 2040

Kev_Prime

@franksting @devopscats @jpm sadly, some old systems will be slow to change but all new systems should be compliant.

Kev_Prime

@devopscats this is so nice I've gotten into discussions with old school managers who were stuck in their ways of forcing password resets.

TY NIST!

s0: Soldering Sorceress

@devopscats stapling this to the door of the security division at work

devopscats

@s0 recommend using a gauge nail gun, purely for the therapeutic value of course

gkrnours

@devopscats I think these rules are recent but not new. Like I think they were already the NIST recommendation 2 years ago

will talk for elePHPants!

@devopscats That's in there for at.least a year if not longer. But wasn't as prominent presented in a list

dee 🏳️‍⚧️

@devopscats bullet 4 is going to cause such issues for those who can't even manage the other bullet points 😂

Count emojis as a single char... Well, that's open to a lot of language specific fun

europlus :autisminf:

@devopscats @robdaemon the periodic change one has been gone for a while now, thankfully.

Þór Sigurðsson

@devopscats #8 is 👍👍too! Microsoft is breaking that with Windows 11.

Q:"What's the name of your 1st pet?"
A:"ð0maz04p9es7nuty45p0æ7uyn5esoæl8gvuynme4o8gusyem4o8gvsuy extl8onbs7y45læo8iseum 5l8owsugyb lo4es587yguspæo349uy nbslo8eg54ryunlo8y<"

Every time.

Go Up