[Info-vax] Enhanced Password Management
dgordonatvsi at gmail.com
dgordonatvsi at gmail.com
Wed Mar 20 16:41:27 EDT 2019
On Wednesday, March 20, 2019 at 4:11:29 PM UTC-4, Stephen Hoffman wrote:
>
> More generally, it's interesting to see VSI headed away from what US
> NIST and other recent recommendations suggest for password composition.
Not all of our customers are there yet.
>
> "Verifiers SHOULD NOT impose other composition rules (e.g., requiring
> mixtures of different character types or prohibiting consecutively
> repeated characters) for memorized secrets. Verifiers SHOULD NOT
> require memorized secrets to be changed arbitrarily (e.g.,
> periodically). However, verifiers SHALL force a change if there is
> evidence of compromise of the authenticator."
>
>From the Enhanced Password Management Installation and User Guide
Appendix C. DoD Password Policy Requirements as Provided by VSI
In 2017, NIST (National Institute of Standards and Technology) significantly modified their policy on memorized secrets (passwords). For more information about changes in the policy, see the Memorized Secret Authenticators section in the NIST Special Publication 800-63B (https:// pages.nist.gov/800-63-3/sp800-63b.html).
This appendix contains the DoD password policy requirements with each item categorized by its implementation in the VSI Password Management software.
> --
> Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list