[Cryptography] NIST Updates Password Recommendations: WOW!
Kent Borg
kentborg at borg.org
Wed Nov 23 11:40:31 EST 2016
I haven't read the actual NIST publication yet, but the TL;DR from
Sophos
(https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/)
has some nice stuff in it. Such as saying quit forcing users to change
passwords for no reason, and don't use SMS as a two-factor device.
I hope people read it--I have it in my queue. Looks like a lot of
longstanding dogma gets finally gets thrown under the bus.
The full NIST version: https://pages.nist.gov/800-63-3/
Their github (!) sources: https://github.com/usnistgov/800-63-3
-kb, the Kent who doesn't know whether they say to write down passwords
with paper and pencil.
More information about the cryptography
mailing list