Conversation

Notices

1. Embed this notice
   Lukasz Olejnik (lukaszolejnik@mastodon.social)'s status on Wednesday, 25-Sep-2024 02:56:08 JST Lukasz Olejnik

   GREAT change is approaching. NIST will standardise prohibition of requirement of composing passwords from various character styles, and requirement for periodic password changes. These are harmful and obsolete rules. Now they will be treated as a cybersecurity weakness https://pages.nist.gov/800-63-4/sp800-63b.html

   • Another Linux Walt Alt and feld like this.
   • Embed this notice
     feld (feld@friedcheese.us)'s status on Wednesday, 25-Sep-2024 02:56:27 JST feld

     in reply to
     @LukaszOlejnik nobody seems to have received the last memo, though, so I'm not too hopeful this will produce meaningful change in the near term
     Another Linux Walt Alt likes this.
   • Embed this notice
     Zimmie (bob_zim@infosec.exchange)'s status on Wednesday, 25-Sep-2024 20:27:51 JST Zimmie

     in reply to

     • DelegateVoid

     @delegatevoid @LukaszOlejnik Upper limits on passphrase length are mostly about closing a possible resource exhaustion vector on the authenticating system. If you hash it all down to 64 bytes, there’s no point dealing with passphrases longer than 128 characters. Further characters don’t add any further entropy, but if you have no upper bound, some knucklehead is going to make your server hash the entirety of War and Peace over and over.

   • Embed this notice
     DelegateVoid (delegatevoid@mastodon.gamedev.place)'s status on Wednesday, 25-Sep-2024 20:27:52 JST DelegateVoid

     in reply to

     @LukaszOlejnik I still don't get why they should limit the password length.

     GreenSkyOverMe (Monika) repeated this.