reminder that NIST 800-63b recommends

- allowing all printing ascii characters
- allowing unicode
- normalizing unicode using NFKC or NFKD prior to hashing
- using a password-strength meter (presumably based on estimated entropy) instead of having composition rules
- not forcing periodic password changes

@haskal if i can't just give your website the output from pwgen -sy 128 1 then something is wrong

@haskal important that it also recommends MFA with something you know and something you have. I think the risk involved with not forcing periodic password changes shifts significantly without that and changing that control might be better after adding MFA for some orgs.

@haskal I remember the rejoicing that occurred when they updated that haha

Sign in to participate in the conversation

cybrespace: the social hub of the information superhighway jack in to the mastodon fediverse today and surf the dataflow through our cybrepunk, slightly glitchy web portal support us on patreon or liberapay!