[cabf_netsec] Passwords
Dimitris Zacharopoulos
jimmy at it.auth.gr
Wed Feb 28 12:13:03 MST 2018
On 28/2/2018 8:45 μμ, Tim Hollebeek wrote:
>
> The NSG requirements as they exist today ALREADY require that the
> password policy complies with all of NIST 800-63!!! That’s one of the
> things we’re trying to fix. So a SHOULD pointing to NIST 800-63B
> Appendix A isn’t adding anything, it’s just restoring a teeny portion
> of what we agreed on the calls to delete. It is intended to inform
> the reader about why all of the crazy, prescriptive rules other than
> length were removed. I’d suggest reading Appendix A for context.
>
> Basically, the document I posted is the password-relevant parts of
> what we already discussed on the calls, with only two changes intended
> to restore a suggestion to read Appendix A, which is informative
> anyway, and explicit guidance that overly frequent password rotation
> is bad. I don’t want people to be able to continue using 90 days as
> it has been shown to result in weaker passwords, not stronger ones.
>
> -Tim
>
No objections from me. I am concerned that other people will be
skeptical about removing normative requirements (like the 90-day change)
with informative ones. I suppose the NIST document justifies the
proposed change adequately.
Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20180228/70cd495d/attachment.html>
More information about the Netsec
mailing list