NIST to forbid requirement of specific passwords character composition

228 pointsposted 11 hours ago
by riffraff
(mastodon.social)

114 Comments

hsdropout

10 hours ago

This has been in their guidance since at least 2017.

"Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator"

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...

Also worth pointing out that NIST doesn't set policy, so unfortunately this doesn't directly "forbid" anything, though many other policies reference 800-63.

guerby

7 hours ago

Before the change : https://pages.nist.gov/800-63-3/sp800-63b.html

"Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. "

After the change: https://pages.nist.gov/800-63-4/sp800-63b.html

"Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords."

So advice to requirement for this part, which is great!

cheriot

8 hours ago

> SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)

Are there employers that follow this advice? Mine won't (and won't say why).

tialaramex

7 hours ago

The only employer I've had which had a dumb rotation rule was of course a huge American Credit Reference Agency which due to ordinary incompetence lost a lot of people's personal information.

These days I work in tertiary education, so there's a complete spectrum from people who probably have memorised a unique sixteen alphanumerics password twenty years ago to folks who needed a service desk worker to help them walk through resetting after having forgotten their password was the name of one of Henry VIII's wives. And there's likewise a spectrum between "I hand-built this optical splitter and splice so that I could steal the exam answers without any trace on the network" and "I wrote the formulae on my thigh in permanent marker and then wore a skirt with a big slit down one side" in terms of the technical sophistication of attacks.

Edited to add: When I did work for the CRA with the rotation rule I would write down each of the passwords in columns in the back of my log book since otherwise I might forget one and that was a huge pain to get reset, it's just not realistic to memorize "random" values you'll have to replace frequently. And of course they had two "Single" Sign On systems because of warring management, so that's two passwords to rotate.

tallanvor

8 hours ago

Yes. My very large employer hasn't required me to change my password in over two years. But at the same time, 2FA requirements have changed to more secure forms (going from having to select one of 3 numbers on a prompt to having to type in the number, for example), and some resources can only be accessed using a hardware key or even a special laptop.

ratherbefuddled

7 hours ago

I've found it commonplace these days at least in europe that organisations use SSO via an identity provider that requires MFA for everything they can - even clients who are banks and utilities that usually move at a glacial pace.

The last time I worked anywhere with periodic password change was 8 years ago and they were phasing it out. The same place would reset your password to Monday123 if you got locked out (whether you needed a password reset or not) and forget to set the "force change" flag.

briandear

8 hours ago

It’s because the CIO or whomever is running the show is a relic from the 1990s. I can tell a lot about a company by their password policies. There also seems to a direct correlation to silly password and “security” policies and the usage of Microsoft products such as Teams and Outlook.

mschuster91

8 hours ago

> It’s because the CIO or whomever is running the show is a relic from the 1990s.

More often, it's because the "cybersecurity insurance" is a shitshow. When you as a CIO deviate from their requirements and get 0wned, you're getting stuck with the bill.

Traubenfuchs

8 hours ago

I wonder what will happen if I post a provocative „Why is our IT department violating NIST password recommendations?“ in public slack.

Prcmaker

8 hours ago

In my experience, you get labelled as not being a team player.

petepete

7 hours ago

Or a busybody (speaking from personal experience).

About 18 months after me raising this issue and referencing both NCSC and NIST, the rules at the org I'm contracting with were changed.

I have no idea whether my suggestion made any difference.

cabirum

7 hours ago

From the employer POV, employees cannot be trusted to discover their passwords are compromised, so updating them limits the duration the leaked password works.

cheriot

7 hours ago

Did NIST not take this into account?

Frequent changes mean more people write them down.

afiori

6 hours ago

Frequent changes are a good way to move the blame on employees

sophiebits

10 hours ago

It seems it’s been upgraded to SHALL NOT this year.

__egb__

5 hours ago

> Also worth pointing out that NIST doesn't set policy…

Which has a side effect of NIST not even following its own guidance!

mndgs

10 hours ago

FINALLY. Good God, how annoying those website signups with "a good password must use a, b and c" are... It seems a lot of site devs know shit about what a good password is.

BenjiWiebe

9 hours ago

I had one today that said my password must be between 6 and 20 characters. I had entered a generated 16 character password.

Generated another 16 character password, alphanumeric-only this time, and it worked.

If you're going to have forbidden characters, MAKE SURE YOU TELL ME WHAT THEY ARE!!!

PhilipRoman

8 hours ago

The funniest password requirement I've seen was "must include a special character" but the special character selection was limited to #!$& and of course attackers know this requirement too. Combined with most people putting it at the end, that gives a little over 2 bits of entropy...

Elfener

4 hours ago

When I was creating a password for online banking, it required me to include at least one special char - but apparently they didn't consider the dollar sign ($) a valid character...

zelphirkalt

8 hours ago

Wait till you meet websites that simply truncate your password at 32 characters or 16 character without telling you and leaving you to figure out, why you cannot log in with your just a minute ago set password ... and what that says about how they store passwords. Either they are complete idiots and do not understand what hashing will do, or they are even more idiots and store passwords in plain text in their database, so that the length matters this much.

Semaphor

8 hours ago

My default PW gen rule is only alphanumerics, far too many websites have issues with special characters. It’s also 24 in length because that tends to fit most, while 32 gives me frequent errors.

alkonaut

7 hours ago

A good password

- Must be likely to enter correctly on the first attempt, on a bad mobile keyboard, or using a TV remote.

- Must be likely to be remembered in my stupid brain even if I haven't used it for many years. Must work even on places

where you can't use a password manager (Such as a smart TV, games console, ...) Other less important requirements to me, in 99% of cases:

- It's hard to guess for someone else, unless it's an account where you mind someone guessing it.

The last point is key. I have thousands of accounts. And I care about people not breaking into maybe 4 of them.

I don't trust sites to have good lost password ("email login") flows. So for 90% of sites and services I use a password that is a) as simple as possible and b) as common as possible so I don't have to remember many. Yes I AM a developer. Yes I DO use a password manager. But I don't know whether I'll be able to use my password manager when I sign into a specific account next time. It's more likely than not that it ends up being on a smart TV or whatever. So I just use a stupidly simple password. Because for almost all sites, I don't mind it being guessed. Worst case I'll need to reset it. Or worst case someone starts a support request in my name at Logitech, or someone screws with my Netflix viewing history or whatever. But I don't care. Or rather, I care much less than I care about not being frustrated when desperately logging in via a TV remote 3 minutes after the game has started.

I guard the important accounts with 2FA (especially the mail account that in turn resets ALL these other poorly protected accounts!). But for 99% of stores, forums, services: I use the equivalent of "12345" as password. (really I use a small prefix word + the service name 'initials' as suffix and end with an exclamation mark to pass most password demands).

pkaeding

20 minutes ago

> where you can't use a password manager (Such as a smart TV, games console, ...)

I just open my password manager on my phone and type it in. On these passwords, I am likely to avoid special characters, since they are a pain to type on these 'keyboards'

fanf2

4 hours ago

You should only rely on your memory for passwords that you use frequently. Rarely-used passwords should be kept somewhere safe and well-maintained, such as a password manager and/or on paper.

jasonwatkinspdx

9 hours ago

Years ago I worked in a Wells Fargo call center that had all the usual requirements including forced monthly rotation that had to be significantly different than the prior one.

Guess what the most common thing written on a post-it note on a monitor in somebody's cube was?

This was an outbound call center doing credit investigations, processing huge piles of PII and financial information daily.

I'm so glad to see this farce done away with.

jeroenhd

7 hours ago

> forced monthly rotation that had to be significantly different than the prior one

No need to write any of them down! Work smarter, not harder: WelcomeDecember2023! -> WelcomeJanuary2024! -> WelcomeFebruary2024! -> WelcomeMay2024! -> ...

(don't do this, obviously)

The funniest password sticky note I've seen was someone whose password was the name of their child and their birth year. Not a great password in general, but apparently they didn't know their kid very well because they had to write it down and stick it onto their monitor.

hinkley

9 hours ago

And no white space characters. That one makes me want to hurl obsceneties until the author’s eyes pop out. Goddamned amateurs.

bagels

8 hours ago

I wonder how well those correlate with poor password storage security practices (plaintext, lack of salt, lack of encryption, etc.)

f1shy

9 hours ago

The most offensive are the ones where it says "your password is not safe" but don't tell what the problem is!

PeterStuer

8 hours ago

The absolute worst I ever encountered was the Mojang to Microsoft account migrator. The only thing I ever found it accepted was one of those indecipherable browser generated passwords unfit for human entry or memory. Ofc the rules were never stated, so you just had to guess.

bagels

8 hours ago

I really, really think that flow was designed to try to get more re-purchases of Minecraft.

Elfener

4 hours ago

I mean they could've not deleted the accounts of people who didn't migrate (and instead just stopped them from playing until they did) and they did delete them so that is definitely the case.

zelphirkalt

7 hours ago

Pretty bad, but use a password manager and generate random passwords, unique to each account.

makeset

8 hours ago

I had a website keep rejecting my registration at checkout, and Customer Support explained that I was tripping the bot filter for my password being too random. I had to introduce them to the concept of password managers, in 2020. It's a wild world out there.

M95D

8 hours ago

Why are you so happy about?! Those devs will continue to not know what a good password is. It's not like a new standard will telepathically transplant itself into their brains.

TeMPOraL

7 hours ago

Uncaring devs will stay uncaring, but I feel the bigger problem is still corporate. NIST recommendations carry little weight with corporate IT security. Certifications, compliance, and insurance do - so little will change until the revised recommendation works its way through the entire mutual appreciation society of audit agencies, "cyber" insurance providers, industry certification bodies, certification consultants, and a whole mud ball of enterprise middleware companies.

I mean, take Microsoft ecosystem (Windows, SharePoint, Exchange, and other auth infra): it never had any bullshit password policies enabled by default - but every corporate Windows machine has them, because someone in corporate IT is setting it as central policy, and they're doing it because they "know better", or because the company is trying to get/keep their ISO:2007-whatever SOC2 stamp (or trying to secure a deal with another company that is), and some consultant came up the other day with a questionnaire asking if corporate systems are Secure, by for example implementing Specific Bullshit Policy. Easier to implement it and call it a day, than to contest every other checkbox on the questionnaire...

askvictor

10 hours ago

Also forbids 'security questions' e.g. "What is your mother's maiden name?"

lolinder

9 hours ago

It drives me absolutely crazy that the same bank website that times out my session after 5 minutes of inactivity insists that I set up recovery questions from a list that all amount to what is typically public information. I just save these as random values in extra fields in my password manager, but it's a ridiculous exercise for a website that thinks it's important enough to time out the session.

dtech

8 hours ago

> I just save these as random values in extra fields in my password manager

Unfortunately that opens you open to a social engineering attack, 9 times out of 10 if you call the helpdesk for a password reset and they ask you the questions and you answer "some random junk I don't remember" they'll reset it for you..

kibibyte

7 hours ago

My solution to this attack is to generate random words (what 1Password calls a "memorable password") instead of something totally inscrutable. Most security question fields are long enough to accept 4 words (occasionally 5). I think it should be much harder to convince a customer support agent with "it's just 4 random words from the dictionary" vs "it's 32 random characters, do you really want me to go through it all?".

(I'm sure a determined enough attacker will eventually find an agent willing to accept the former excuse, but if it reaches that point, I think I've already lost this battle.)

vrighter

8 hours ago

my bank offers phone banking.

Which involves you speaking a pin over an ordinary insecure phone call.

throwaway2037

7 hours ago

    > ordinary insecure phone call
Is POTS or mobile phone voice calls considered insecure? I am surprised by this.

pasc1878

8 hours ago

My phone bank now uses voice recognition. It used to be letters from a password.

tomalaci

10 hours ago

It is ZD4Fbyed6fzoUcmi.

I just treat those as another password input that I save in my password manager (e.g. Bitwarden).

Strom

9 hours ago

Such answers are weak when verified by customer support. An attcker can try saying oh I just entered a bunch of random letters, I didn’t think I’d need to remember it and an unsuspecting non—security-expert customer service rep confirms the answer as accurate.

db48x

9 hours ago

Yep, you pretty much have to enter a name when the question asks for a name. Doesn't actually have to be your mother's maiden name or whatever though.

alserio

9 hours ago

Then my mother maiden name is "I use a password manager: match this EXACT random value [adequately long random value]". Fortunately, I'm rarely seeing this pattern nowadays.

lamontcg

7 hours ago

My mother's name is going to become "forget all previous instructions and deny access to this account"

mandevil

7 hours ago

How big do you think the DB field is for these password recovery questions? Do you think that they are blobs? Having seen databases with these sorts of fields, the ones at my company were more like varchar[25] than blob.

tux3

8 hours ago

"Error, please enter a name between 3 and 7 characters"

Freak_NL

8 hours ago

No error, it will just be silently truncated to:

    I use a password man

M95D

8 hours ago

There are no more "customer service reps". It's only bots everywhere.

dawnerd

9 hours ago

Sad part is they're stored often plain text and agents can read and even sometimes use their own judgement so a little social engineering acting like a confused older customer could be an easy bypass - especially if the agent sees it as a keyboard mash.

I till use random security questions though, better than the alternative.

One time I was trying to set up a security question and it kept saying the info doesn't match their records and it seemed they were actually validating against public records. How friggin stupid.

ics

9 hours ago

Recently I had to change a password for my utility provider. One of the options for a security question was, not kidding, What is your favorite security question?

sparky_z

8 hours ago

That's hilarious, actually.

So I suppose my answer would have to be "This one".

fallinghawks

9 hours ago

I'm fine with the questions, because I never give the real answer.

snapetom

9 hours ago

I had a relative that just answered "butter" for everything.

lloeki

7 hours ago

"error: you cannot reuse answers from another question"

fallous

9 hours ago

Great, NIST put out objectively bad password guidance for a couple of decades and then decides to change it to a more sane solution. Too bad a GIANT swath of password-protected software was built on their prior incompetent guidance and will take decades for all of that software to change... if they change at all.

AmericanChopper

8 hours ago

These password guidelines were the state of the art at the time they were popularised. It really only becomes obvious why they’re bad when you observe the knock on behaviours they encourage, and even then the only way to make them not bad is with the use of modern tooling like password managers.

The world has been rather slow to move off this standard, but NIST has been a huge enabler of that, so I don’t think they deserve any hate for this. Not too long ago the NIST password guidance was THE authority that enabled regulated companies (like PCI companies) to migrate off password complexity requirements with a compensating control.

There’s plenty of other toxic security ideas out there as well. I would argue any control that generates large amounts of user friction for a negligible security benefit is probably a net downgrade in security posture, as user friction just normalises a culture of circumvention. Hopefully authorities like NIST can lead the way in tackling many of those as well.

PoachedEggs

8 hours ago

> probably a net downgrade in security posture, as user friction just normalises a culture of circumvention

There is even a CWE for this concept: “CWE-655: Insufficient Psychological Acceptability”

> The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.

AmericanChopper

8 hours ago

Hah, how interesting. I can’t believe I’ve never seen that one before.

jand

8 hours ago

> 9 Verifiers SHALL verify the entire submitted password...

Is this "don't microwave your hamster"-requirement a result of the bcrypt trouble [1] or how comes?

[1] https://security.stackexchange.com/questions/39849/does-bcry...

mandevil

7 hours ago

My suspicion is this to rule out a specific hash. One well known to everyone interested in computer security back in the 1990's. One that haunts our nightmares to this day.

Back in my day, you see, there was this hash known as NTLM, which actually took your password and stored and then matched it in two ways, the NT hash (MD5 of your password in UTF-16) and the LM hash (split the first 14 bytes of your password in ASCII, then add parity bits and use that as a DES key to encrypt a well-known string). That LM hash was because they wanted it to be backwards compatible with Microsoft LanMan, introduced for OS/2 back in 1987. Even back in the 1990's it was a well known weak link, and given how trivial it is today to brute force a match for MD5 (since all characters after the first 14 can be arbitrary), you can see that this is simple to brute force with modern computing power. Microsoft has recommended NTLM not be used since 2010, but it's still in Windows for backwards compatibility reasons, and there are almost certainly still servers running today that a NTLM hash could get you access to. So that's my guess as to what they are targeting.

entuno

8 hours ago

It predates bcrypt by quite a bit - descrypt would truncate password at 8 characters (or technically 8 bytes) and was used on a lot of older Linux and *NIX systems.

nielssp

8 hours ago

Ran into this exact issue on a project. The developer that implemented the solution wanted to make sure that we handled those 6 digit PINs in the most secure way with salt and pepper and bcrypt, and at the end of the day the system only actually checked the first two digits of the PIN because bcrypt ignored the rest.

Sammi

6 hours ago

Does this permit taking a sha 512 digest hash of the user input and returning that digest hash to the backend for proper password hashing?

My interpretation is that the entire password is being verified, even though the backend is only ever verifying a sha 512 digest hash of it.

(Oh and why would you do this? To be able to support arbitrary length passwords without opening yourself up to ddos attacks. Support as long passwords as the user wants - only the digest hash is sent.)

fuzzy2

7 hours ago

Still a problem irrespective of algorithms used. I recently set up an account on a website, letting my password manager do its thing. Couldn’t log in. Turns out the password was too long (20 chars when 16 were allowed) and was silently truncated during signup.

The login form of course used the entirety of the password, not truncating it. Fun stuff.

jeroenhd

7 hours ago

I ran into that with Paypal. Login limited my password length to something small (I think 20 characters?) but the signup page accepted my random 32 characters just fine.

I found out I could just enter the first 20 characters and log in. I've had other websites that simply broke. The worst one had a password reset page that also didn't verify their own password length limits, sending me in a frustrating password change loop.

adgjlsfhk1

10 hours ago

also raises the suggested max password length to a much more reasonable 64 (many sites have a max of 20 that makes passphrases impossible)

danpalmer

10 hours ago

I also misread this requirement the first time, but it's "at least", i.e. they are encouraging as high as possible, but suggesting that the "minimum" max length should be 64 characters.

beej71

9 hours ago

I don't get the max length restrictions some sites have. Why?

JimDabell

9 hours ago

Some password hashing algorithms have a hard limit, for instance bcrypt has a maximum of 72 bytes. Beyond that, not having a maximum opens you up to DoS attacks because attackers can tie up your servers by asking them to hash a few hundred 20MB passwords at a time.

tetha

9 hours ago

Personally, I'm worried about the CPU of my application servers if a cost-oriented hash function has to process your 4GB large password. Though imagine how much clout we could get from all the bogus DoS CVEs this could find.

But jest aside, imo there should be a maximum limit to avoid possible nonsense, but that limit should be at 1k - 2k characters or something outlandish.

mnw21cam

7 hours ago

I don't think the compute time varies that much with the length of the password being hashed for these cost-oriented hash functions.

tsimionescu

7 hours ago

At some point you do need a limit: you don't want a 1GB password being transferred, of course. But the low limits you often see is somewhat lazy use of fixed-length hashing algorithms (shorter than the algorithm length: just pad; longer than the algorithm length: refuse, instead of using a different hash or figuring out how to combine multiple hashes).

kouteiheika

9 hours ago

That's what you gotta do when you store your passwords in plaintext and the password column in your DB is capped at a certain length.

BenjiWiebe

9 hours ago

You could have a reasonable length limit (1kb maybe?) so you don't spend too much CPU time hashing the password.

briandear

8 hours ago

One mainframe system I need to access has an exactly 8 character password requirement. (Consulting work for an insurance company.)

Sammi

6 hours ago

So the argument of whether this increases or decreases entropy goes both ways:

1. Requiring certain characters is a limit on which characters are selected. An attacker now knows to look for at least one digit, upper case char, and one of 10 special chars. This is a smaller selection of characters than the whole of all characters that were available before, so it decreases entropy.

2. Most users choose weak simple passwords with low entropy. Requiring users to use some characters that they wouldn't otherwise increases the entropy as it increases the selection of characters in the password.

I actually don't believe 2, as most users will just start with an upper case char and end with 1!, so the entropy will still decrease for most users, as they will choose easily guessable placements for these required chars.

nottorp

8 hours ago

Little story:

My wife's bank was using a numeric id as the login until last month. They had token based and then app based codes instead of passwords, which was decent.

This month they forced her to pick an user name instead of the numeric code to login. They required her to have at least one capital letter and a number. In the user.

According to Gemini it's the 8th largest European bank :)

mindslight

7 minutes ago

Just signed up for Discover credit card online access the other day, and they wanted a symbol in the username. I think their nags also said to change your username often. Like oof, the cargo cult gets its own cargo cult.

anilakar

7 hours ago

I'm still waiting for NIST to deprecate plain-text* passwords in favor of PAKE, and W3C to come up with a mechanism for that.

*) plain-text here means any and all methods that give the attacker access to the original password, including modifying client-side JS.

gazby

7 hours ago

They've been working on just this bit for the better part of a decade. It'll happen (passkeys I imagine), just slower than most of us would like.

lofaszvanitt

8 hours ago

Can't we just leave passwords behind once and for all...

tsimionescu

7 hours ago

Not without losing a lot, for most applications.

bediger4000

11 hours ago

Finally! A best practice that makes sense! Now let us see the password as we "type" on rinky dink cell phone virtual keyboards!

can16358p

10 hours ago

For an additional attack vector of people spying on screens?

Having password masked makes sense by default, but I agree users should be able to see passwords explicitly by tapping an "eye" icon.

bowmessage

10 hours ago

Who is typing passwords these days?

pjmlp

10 hours ago

The munggles, the large majority of them.

And those of us unfortunate to use applications that forbid copy-paste on password fields.

f1shy

9 hours ago

That is yet another point that they should have taken...

justinclift

9 hours ago

Everyone on sites that forbid pasting into the password field. (!)

makach

10 hours ago

Everyone? Just consider your mobile phone when doing anything that requires some sort of security elevation.

nixosbestos

9 hours ago

My passwords are 30 characters of gibberish. I'd yeet my phone before typing a password on it. Not to mention, the obvious.

adastra22

10 hours ago

If you're following NIST best practices, you're using a password manager instead.

benatkin

9 hours ago

That enables passphrases! accurate donkey charger glue

wtcactus

8 hours ago

Thank God.

I’ve been noticing this downward spiral for more than a decade now. It’s becoming unmanageable to use authentication.

It’s MFA, passwords and passkeys in multiple forms. I have to reach several times a day for the phone to get yet another MFA from the Authenticator or SMS to login the same site I’ve used yesterday. Constant nagging for “security“ from everywhere, and on top of these, these unproductive password changes requests described in the article.

I been thinking about it the last months, and we really need a paradigm shift when it comes to authentication. I’m not knowledgeable enough to know what, but I can see the problem pilling up in front of my own eyes.

makach

9 hours ago

The requirements could be even more clearer

* max 64 chars “should” requirement? vs. no truncation?

* what about pin-codes?

* the password process is still very much a hot mess, standardize registration, IIA, updating, cancellation

* protection of passwords at-rest, salt your passwords

phire

9 hours ago

> max 64 chars “should” requirement? vs. no truncation?*

There kind of needs to be a truncation at some point. Otherwise there is a risk of an attacker triggering a denial-of-service attack by sending multi-gigabyte passwords.

tsimionescu

7 hours ago

Truncation means accepting the long password, but only looking at the first N chars. It is never acceptable. Max length requirements are absolutely required, but they must be enforced by refusing the password, not by truncating.

matrss

4 hours ago

There definitely doesn't need to be truncation. A upper limit yes, to avoid the potential for DoS, but no truncation. That limit should be reasonably large, 1000 characters or something maybe.

I've seen a service whose registration form accepted my 64 characters long randomly generated password, but then the login form apparently truncated the password to something smaller, silently, and just said my password was incorrect. I then had to guess what was happening and reset my password to something shorter, which worked. If you must have a stupid password policy at least make it explicit (well, and consistent).

throwaway984393

10 hours ago

Too bad it won't get adopted by existing systems. I know huge companies still doing mandatory frequent password changes despite us telling them it goes against NIST for years.

snorremd

9 hours ago

This! Required frequent changes just makes people who don't use password managers choose weaker passwords to be able to remember them easily. And they'll almost guaranteed just choose the same password as before with a new post or prefix. "mychildhoodteacher1", "mychildhoodteacher2", etc.

It would be better to encourage users to use a single random four word passphrase and stick to that forever. Add 2FA and you are golden. But legacy systems gonna legacy. I still see systems with max password lengths of 12 characters in the wild, and no 2FA to boot. It's been a while since I got my password back in clear text though, so perhaps we're moving in the right direction.

kelnos

9 hours ago

Yep. The bit about not doing mandatory periodic password resets has been in these recommendations for a while, but most companies I hear about still require them.

JimDabell

9 hours ago

I still see bullshit like this from pen testers, who really should know better.

_dain_

8 hours ago

Who? Name and shame them.