[cabf_netsec] Passwords

Dimitris Zacharopoulos jimmy at it.auth.gr
Wed Feb 28 12:13:03 MST 2018

On 28/2/2018 8:45 μμ, Tim Hollebeek wrote:
> The NSG requirements as they exist today ALREADY require that the 
> password policy complies with all of NIST 800-63!!!  That’s one of the 
> things we’re trying to fix.  So a SHOULD pointing to NIST 800-63B 
> Appendix A isn’t adding anything, it’s just restoring a teeny portion 
> of what we agreed on the calls to delete.  It is intended to inform 
> the reader about why all of the crazy, prescriptive rules other than 
> length were removed.  I’d suggest reading Appendix A for context.
> Basically, the document I posted is the password-relevant parts of 
> what we already discussed on the calls, with only two changes intended 
> to restore a suggestion to read Appendix A, which is informative 
> anyway, and explicit guidance that overly frequent password rotation 
> is bad.  I don’t want people to be able to continue using 90 days as 
> it has been shown to result in weaker passwords, not stronger ones.
> -Tim

No objections from me. I am concerned that other people will be 
skeptical about removing normative requirements (like the 90-day change) 
with informative ones. I suppose the NIST document justifies the 
proposed change adequately.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20180228/70cd495d/attachment.html>

More information about the Netsec mailing list