Stamets [Mirror]I will burn your servers to the ground, foul villain
andyburkeFWIW: these types of password rules are discouraged by NIST -
Many companies ask their users to reset their passwords every few months, thinking that any unauthorized person who obtained a user’s password will soon be locked out. However, frequent password changes can actually make security worse.
It’s difficult enough to remember one good password a year. And since users often have numerous passwords to remember already, they often resort to changing their passwords in predictable patterns, such as adding a single character to the end of their last password or replacing a letter with a symbol that looks like it (such as $ instead of S).
So if an attacker already knows a user’s previous password, it won’t be difficult to crack the new one. The NIST guidelines state that periodic password-change requirements should be removed for this reason.
CluelessLemmyngThey also recommend implementing 2FA, but not OTP or TOTP as they are now considered not secure enough. Use 2FA that is FIDO2 compliant such as biometrics or fobs like Yubikey.
RQGI wish I knew what all those acronyms mean.
2FA - Two factor authentication, you get asked a second secret besides your password.
OTP - one time password, you receive a code over SMS or mail.
TOTP - Time based one time password, you have to have an authentication app that creates a clock based cryptographic code.
FIDO2 - fast identity online standard version 2, is a set of ID verification. Usually you’re asked to confirm access on another certified device. Like google asking you to check your phone for a notification when logging into a new browser.
Thank you!