[bluGill]

You don't necessarily have to convince IT. If you instead convince their legal department that by not following the NIST standards for passwords they are opening their company to a lawsuit, that could get results a lot faster.

When IT is convinced they have to decide when to put it into the budget. If they think their policy is not okay, just not perfect the fix will probably be buried in the bottom of the budget pile and cut every year.

When a company does not follow a NIST standard [that applies] that is admissible in court against them. While it isn't an automatic loss they have to defend why they didn't follow the standard. In some cases the defense is not to the jury, but the the judge while can make a "statement of fact" and tell the jury to assume negligence for not following the standards. When legal says the cost of not complying with NIST password guidelines is potentially 10 million dollars that puts fixing the password requirements much higher in the budget.

[mark-r]

Are these the guidelines you speak of?

https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver

[extra88]

The relevant bit being "Verifiers SHOULD permit claimants to use 'paste' functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets."

But that's a recent change to the NIST guidance. Searching for "Bill Burr NIST" will turn up recent stories about the original author's regret of a lot of the password recommendations from the original publication in 2003 that survived until the update this year.

[rhizome]

Do you have any references to instances where this strategy was successful?

[bluGill]

No, it is an idea. The NIST standard is new enough that I wouldn't expect anything yet. Going to court takes years.IF they settle out of court they probably make not talking a part of the settlement.

[linza]

Not all websites are operated by US companies. Would that still work for, say UBS (a big bank) in Switzerland?

[user5994461]

NIST is recognized worldwide in a similar vein to the IEEE, IETF or ISO. It's a regulation organization important enough to get to move banks, large companies and outsourcing firms.

A recommendation won't allow you to sue a company contrary to what the other commenters seem to think, but it's enough for any internal employee who works on something to call for and justify a change.

[bluGill]

You can sue anyone for anything. Winning is different matter. Even if you can't win though, the cost of defending a trial is expensive.

[bluGill]

Maybe, does UBS have a branch in the US that you can sue? Alternatively, does the country you are in treat foreign standards as admissible in their court in some form? Does the country have their own version of NIST that is willing to "leverage" the work of another country into their own standards, thus making the NIST standard a national standard for their country? Does the country have their own version of NIST that has already issued a standard? Any of the above are angles to consider before you reject legal approaches to the problem just because the country doens't apply.

Your question is one of the reasons I didn't say the legal route was a better way. It is an option that may get better results in some cases. Even in the US it may not always get the best result.