Lukasz OlejnikSep 24, 2024
GREAT change is approaching. NIST will standardise prohibition of requirement of composing passwords from various character styles, and requirement for periodic password changes. These are harmful and obsolete rules. Now they will be treated as a cybersecurity weakness https://pages.nist.gov/800-63-4/sp800-63b.html
NIST Special Publication 800-63B

NIST Special Publication 800-63B

Show threadAndrew ZonenbergSep 24, 2024

@LukaszOlejnik Banning stupid nonsense reset questions too? Nice.

Some of these have already been standardized in previous iterations (e.g. no mandatory password cycling) but I don't recall having seen that one before.

I think the requirement to allow arbitrary Unicode is new (and very much needed).

Show threadYsegrim
@azonenberg @LukaszOlejnik Recommendation (SHOULD), not requirement (SHALL).
Sep 25, 2024 at 6:48amWeb