Here is the text of the NIST sp800-63b Digital Identity Guidelines.

  • turtle@lemm.ee
    link
    fedilink
    English
    arrow-up
    3
    ·
    2 months ago

    It’s crazy that they didn’t include all the “should” items in that list. If you read the entire section, there’s a critical element that’s missing in the list, which is that new passwords should be checked against blocklists. Otherwise, if you combine 1, 5, and 6, you end up with people using “password” as their password, and keeping that forever. Really, really poor organization on their part. I’m already fighting this at work.