Lukasz OlejnikSep 24, 2024
GREAT change is approaching. NIST will standardise prohibition of requirement of composing passwords from various character styles, and requirement for periodic password changes. These are harmful and obsolete rules. Now they will be treated as a cybersecurity weakness https://pages.nist.gov/800-63-4/sp800-63b.html
NIST Special Publication 800-63B

NIST Special Publication 800-63B

Show threadMichael Dwyer

@LukaszOlejnik I thought this was already the case, but maybe I'm only thinking of the password rotation requirement.

Unfortunately, despite NIST's stance, the misery will remain for many of us until the PCI (payment card industry) standards also change.

Sep 24, 2024 at 4:35pmTusky
Show threadBen AvelingSep 24, 2024
@mdwyer There's a bunch of changes in there. Not requiring password rotations was added, fairly recently.
And I was pushing for that for a long time
But I think that "should not" require password rotation goes to far. For some cases, once a year is, IMHO, more than justified.
@LukaszOlejnik
Show threadZimmieSep 24, 2024

@BenAveling @mdwyer @LukaszOlejnik NIST SP 800-63B (updated 2017-06) section 5.1.1.2:

“Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

Edit: I see now this thread is about the latest version of SP 800-63B! The one I quoted above is 800-63-3, which has been replaced by 800-63-4. Seems they turned a bunch of SHOULD NOTs into SHALL NOTs.

Show threadwaldiSep 24, 2024
@mdwyer @LukaszOlejnik PCI got rid of that as well with the last version.