[Cryptography] NIST SP 800-63-3

Tue Aug 15 06:03:05 EDT 2017

> As for your second point, I think the dangers posed by inadequate security in storing password validation data have reached such a level that they overwhelm any concern about requiring some new tools for password reset.
I'm not saying not to do it ... just pointing out that it has a downside.  A great deal depends on the details of the system and its usage.

Another alternative to help keep such databases safe (tongue in cheek here ... but it would be very effective):  Require that the company CIO, CEO, and all members of the board of directors post encrypted copies of all their financial account information, including passwords, to a public site - encrypted with a password stored in the same database as all the user passwords, using the same technology.  'Twood focus the minds on what's important.... :-)

                                                        -- Jerry