this post was submitted on 26 Sep 2024
548 points (99.3% liked)

Technology

59657 readers
2648 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Here is the text of the NIST sp800-63b Digital Identity Guidelines.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] cybersandwich@lemmy.world 10 points 2 months ago (1 children)

I think if you do allow 8 character passwords the only stipulation is that you check it against known compromised password lists. Again, pretty reasonable.

[โ€“] lvxferre@mander.xyz 6 points 2 months ago* (last edited 2 months ago)

~~That stipulation goes rather close to #5, even not being a composition rule.~~ EDIT: see below.

I think that a better approach is to follow the recommended min length (15 chars), unless there are good reasons to lower it and you're reasonably sure that your delay between failed password attempts works flawlessly.

EDIT: as I was re-reading the original, I found the relevant excerpt:

If the CSP [credential service provider] disallows a chosen password because it is on a blocklist of commonly used, expected, or compromised values (see Sec. 3.1.1.2), the subscriber SHALL be required to choose a different password. Other complexity requirements for passwords SHALL NOT be imposed. A rationale for this is presented in Appendix A, Strength of Passwords.

So they are requiring CSPs to do what you said, and check it against a list of compromised passwords. However they aren't associating it with password length; on that, the Appendix 2 basically says that min length depends on the threat model being addressed; as in, if it's just some muppet trying passwords online versus trying it offline.