loading...

re: What does it take to create a strong password? VIEW POST

FULL DISCUSSION
 
  1. Go to the experts, first: pages.nist.gov/800-63-3/sp800-63b.... (section 5.1.1.2 in particular) and especially note that their previous recommendations are updated to reflect years of real-life experience. For instance:

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Also (one of my pet peeves when people add goofy scripting to prevent pasting of credentials):

Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.

That's just a bit of the advice. Read the doc.

Many security audit requirements either reference or are derived from NIST guidelines which may prove helpful if you end up in a situation where security audits or compliance are required.

Additionally, if you are using something like an email address as the user name be really, really, absolutely sure that you are consistent in verification across all components and that your verification strictly adheres to the appropriate RFCs. I can't believe how many so-called professionals screw this up and end up accepting, confirming and successfully using a provided email address but then refuse to allow completion of account setup using that address (looking at you Red Cross, AARP, Fastrak, ...). Yes, "+" is a legal and useful character.

Finally, if there are restrictions/requirements, be sure they are all shown up-front. Don't leave me pasting in a strong auto-generated 32-character random password and keep rejecting it without any displayed reason leaving me to guess what non-NIST-conforming "rule" was broken and retry (looking at you, USC recommendation portal).

Code of Conduct Report abuse