reminder that NIST 800-63b recommends
- allowing all printing ascii characters
- allowing unicode
- normalizing unicode using NFKC or NFKD prior to hashing
- using a password-strength meter (presumably based on estimated entropy) instead of having composition rules
- not forcing periodic password changes
@haskal important that it also recommends MFA with something you know and something you have. I think the risk involved with not forcing periodic password changes shifts significantly without that and changing that control might be better after adding MFA for some orgs.