Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 15 Dec 2016 09:13:15 -0800
From: Jim Fenton <>
Subject: Re: proposed NIST guidelines on passwords

FYI, I gave a presentation at Passwords '16 Las Vegas about the
rationale for many of these changes:

Expect a new public comment period to begin early next year.


On 12/15/16 6:58 AM, Martin Rublik wrote:
> Hi,
> NIST published new draft on Digital Authentication Guidline
> Summary related to passwords is following:
> - at least 8 chars minimum length
> - at least 64 chars should be allowed by application
> - printing ASCII, space and UNICODE allowed (the application should
> perform normalization, little worried about this one)
> - password hints should not be implemented,
> - passwords should be checked by the application against: passwords
> obtained from breaches, dictionary words, context specific such as
> username. These passwords should not be allowed / user should be warned
> - no composition rules such as different character sets  
> - no periodic change (unless a breach was detected)
> - mandatory encryption/hashing (PBKDF2 mentioned)  
> Martin

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.