NIST proposes barring some of the most nonsensical password rules - eviltoast

Here is the text of the NIST sp800-63b Digital Identity Guidelines.

  • Madblood@lemmy.world
    link
    fedilink
    English
    arrow-up
    41
    ·
    2 months ago

    Don’t bug users to change passwords periodically. Only do it if there’s evidence of compromise.

    About damn time. I log into my company laptop with a smart card and PIN or a PIN/authenticator code, computer autoconnects to the VPN, and I’m good to go. If there’s no internet available, the smart card will still get me into my computer. If I’m on my personal computer, I log in with the PIN/authenticator. This morning I tried really hard to find someplace where I had the option of entering a password and there is none, yet I have to change my password every 6 months. At least my IT department lets me use KeePass.

    • turtletracks@lemmy.zip
      link
      fedilink
      English
      arrow-up
      5
      ·
      edit-2
      2 months ago

      I’ll log into my home desktop and I’ll get a message telling me that “it’s time to reset your password!”

      First of all, how dare you, on my computer? In my home?

      Secondly, I don’t even have a password on this thing

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      edit-2
      2 months ago

      Eh, I think they should nag users to change their password proportional to how “strong” their password is. If you’re barely meeting the minimum: reset every few months. If you’re using a proper passphrase dozens of characters long: only reset if there’s evidence of compromise.