Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <a9c54958-e86b-ae76-4b3a-d4db7f8ab7ff@bluepopcorn.net>
Date: Thu, 15 Dec 2016 09:13:15 -0800
From: Jim Fenton <fenton@...epopcorn.net>
To: passwords@...ts.openwall.com
Subject: Re: proposed NIST guidelines on passwords

FYI, I gave a presentation at Passwords '16 Las Vegas about the
rationale for many of these changes:

http://www.slideshare.net/jim_fenton/toward-better-password-requirements

Expect a new public comment period to begin early next year.

-Jim

On 12/15/16 6:58 AM, Martin Rublik wrote:
> Hi,
>
> NIST published new draft on Digital Authentication Guidline
>
> https://pages.nist.gov/800-63-3/sp800-63b.html#memorized-secret-verifiers
>
> Summary related to passwords is following:
>
> - at least 8 chars minimum length
> - at least 64 chars should be allowed by application
> - printing ASCII, space and UNICODE allowed (the application should
> perform normalization, little worried about this one)
> - password hints should not be implemented,
> - passwords should be checked by the application against: passwords
> obtained from breaches, dictionary words, context specific such as
> username. These passwords should not be allowed / user should be warned
> - no composition rules such as different character sets  
> - no periodic change (unless a breach was detected)
> - mandatory encryption/hashing (PBKDF2 mentioned)  
>
>
>
> Martin

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.