|
|
|
|
|
|
by tdiff
669 days ago
|
|
|
Is there actually some "professional consensus" on password reset policies (in form of report or journal article or something similar)? If someone could share, I'd love to refer to it in my org to stop resetting passwords every n months. |
|
|
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).
It has much to say on all kinds of other password nonsense:
> Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length. All printing ASCII [RFC 20] characters as well as the space character SHOULD be acceptable in memorized secrets. Unicode [ISO/ISC 10646] characters SHOULD be accepted as well.
> Truncation of the secret SHALL NOT be performed.
> Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret.
> In order to assist the claimant in successfully entering a memorized secret, the verifier SHOULD offer an option to display the secret — rather than a series of dots or asterisks — until it is entered.