Context-specific words, such as the name of the service, the username, and derivatives thereof.Repetitive or sequential characters (e.g., aaaaaa or 1234abcd).Passwords obtained from previous breaches.NIST has been updating its standards and the most significant new requirement: The system must check prospective passwords against “a list that contains values known to be commonly used, expected, or compromised.” Types of passwords that might be disallowed based on such checks include: The requirements are actually pretty lenient: User-supplied passwords must be at least eight alphanumeric characters passwords randomly generated by systems must be at least six characters and may be entirely numeric. Section 5.1.1 “Memorized Secrets” has much to say about passwords and how they should be managed and stored. The National Institute of Standards and Technology (NIST) addressed the question of password policies by issuing NIST Special Publication 800-63B (Digital Identity Guidelines – Authentication and Lifecycle Management).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |