[ygjb]

To provide a bit more context, in early 2011 we made a conscious decision to move towards the password storage methods described here : https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines

While we were moving in that direction (upgrading apps, etc) we also launched Persona (BrowserID at the time). Some apps opted to switch to Persona, others opted to upgrade password storage mechanisms.

[adrianmsmith]

That's an interesting document.

It mainly contains assertions for what one should do. Do you know if there's an explanation for the rationale anywhere? For example _"Passwords must be 8 characters or greater"_ or _"Privileged accounts - Password for privileged accounts should be rotated every: 90 to 120 days"_.

[ygjb]

Not on hand, those decisions were made years ago, and done in email discussions and in person meetings.

That said, the password length requirements were driven by the cost of performing effective brute force attacks against properly hashed and salted values at the time we set that length.

Privileged passwords was basically a stop gap measure to ensure that users were refreshing passwords regularly. The correct solution is to deploy multi-factor authentication.