Reworded rules for clarity:
- Min required length must be 8 chars (obligatory), but it should be 15 chars (recommended).
- Max length should allow at least 64 chars.
- You should accept all ASCII plus space.
- You should accept Unicode; if doing so, you must count each code as one char.
- Don’t demand composition rules (e.g. “u’re password requires a comma! lol lmao haha” tier idiocy)
- Don’t bug users to change passwords periodically. Only do it if there’s evidence of compromise.
- Don’t store password hints that others can guess.
- Don’t prompt the user to use knowledge-based authentication.
- Don’t truncate passwords for verification.
I was expecting idiotic rules screaming “bureaucratic muppets don’t know what they’re legislating on”, but instead what I’m seeing is surprisingly sane and sensible.
NIST generally knows what they’re doing. Want to overwrite a hard drive securely? NIST 800-88 has you covered. Need a competition for a new block cipher? NIST ran that and AES came out of it. Same for a new hash with SHA3.
How about making it illegal to block copying and pasting on website forms. I’m literally more likely to make a mistake by typing a routing number than copying and pasting it. The penalty for should be death by firing into the sun to anyone caught implementing any such stupidity.
Frankly I’m mostly annoyed that my browser allows web sites to block cut and paste, ever. I am capable of making my own decisions over whether I want to cut and paste.
There are plugins that will disallow this. I think the one I use is “don’t fuck with paste”
