re: Password max length limits are dumb (but we need them) VIEW POST

FULL DISCUSSION
 

can you please explain what you meant by "Rotate compromised credentials"

 

Rotate compromised credentials means forcing passwords and secrets to be changed if there is evidence or suspicion that someone who shouldn't have a copy of them has a copy of them.

A good example of this is when there has been a database breach/dump. Even if the passwords are hashed, there is the chance that the passwords could be brute force offline. You should get all users to set a new password so that of their old password is cracked offline it can not be used to log in.

Another example is finding API secrets on GitHub. Once these have been found, you know that they are no longer a secret and should invalidate them/force rotation of them. Even if the git history is changed to remove all traces of the secret you do not know if someone else has a copy of it already.

code of conduct - report abuse