That email made it clear that Heroku lacks fundamental knowledge about security. I’m sure they lost some enterprise customers, I know I don’t open accounts on websites with silly password complexity requirements.
Google allowed 6 character passwords for a while, and didn't expire them when they increased minimum to 8 for google workspace accounts. This has been fantastic, as users can remember their password forever even if its higher complexity (google does a password strength eval). No rotations either.
I'm pretty confident google will pick-up someone trying to brute force a 6 character password. That google will notice connections from new / different IPs or browsers. That's because google asks for my 2FA in various situations but doesn't annoy me by asking for 2FA all the time.
I use one govt system that has something like a 14 character password requirement. For even more security if you don't log in for 90 days your account goes inactive and the password EXPIRES! Very secure you say? Well, to regain access you have to provide the answer to a security question - favorite pet! That's a 5 letter word that doesn't change (and is probably pretty guessable).
Here is another example:
"(b) Information systems must be designed to require passwords to be changed not less frequently than
every sixty (60) days." - SBA IT Security Policy - 90 47 4
Right, we've found actually simple passwords but with the mandatory 2FA turned on works really well. The 2FA google uses is a gentle touch in most cases (can persist on a device for 30 days).
Google has nice 2FA controls. In a workspace setup you can actually tweak them to match your needs because the lockout / reset path (was) pretty reasonable (when it was onsite). Ie, we could disable certain methods and for some higher security groups you can provide hardware keys and then turn that group up a bit.
Never had to rotate passwords and users are glad for that I think.
I do wish google offered "Cloud Chrome" for admin staff to open email / click on links etc. Basically a remote VM with chrome but no file access directly.
I'm pretty confident google will pick-up someone trying to brute force a 6 character password. That google will notice connections from new / different IPs or browsers. That's because google asks for my 2FA in various situations but doesn't annoy me by asking for 2FA all the time.
I use one govt system that has something like a 14 character password requirement. For even more security if you don't log in for 90 days your account goes inactive and the password EXPIRES! Very secure you say? Well, to regain access you have to provide the answer to a security question - favorite pet! That's a 5 letter word that doesn't change (and is probably pretty guessable).
Here is another example:
"(b) Information systems must be designed to require passwords to be changed not less frequently than every sixty (60) days." - SBA IT Security Policy - 90 47 4