[PATCH] stop using pwgen
ilf
ilf at zeromail.org
Sun Dec 18 17:54:00 CET 2016
Brian Candler:
> Furthermore, despite consuming so much entropy, it doesn't even
> guarantee that every password generated has at least one upper-case,
> lower-case, digit and symbol - i.e. the password may still be rejected
> by many websites!
Websites that impose such complexity requirements are not following the
NIST Digital Authentication Guidelines:
> Memorized secrets SHALL be at least 8 characters in length if chosen
> by the subscriber; memorized secrets chosen randomly by the CSP or
> verifier SHALL be at least 6 characters in length and MAY be entirely
> numeric. Since the CSP or verifier may disallow some choices of
> memorized secrets based on their appearance on a blacklist of
> compromised values, the subscriber SHALL choose a different memorized
> secret if a choice is rejected. No other complexity requirements for
> memorized secrets SHOULD be imposed; a rationale for this is presented
> in Appendix A.
https://pages.nist.gov/800-63-3/sp800-63b.html
https://pages.nist.gov/800-63-3/sp800-63b.html#appA
--
ilf
Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg!
-- Eine Initiative des Bundesamtes für Tastaturbenutzung
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20161218/53c89f44/attachment.asc>
More information about the Password-Store
mailing list