Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update readme to not be plain and simple shaming #219

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

allan-simon
Copy link

so that we can also educate people on how to not be on that list

so that we can also educate people on how to not be on that list
We recommend you that in the future you refer to the OWASP (Open Web Application Security Project)
before implementing or specifying web applications.

For example the current set of recommendation, and the rationals on "why" for password rules are here:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
For example the current set of recommendation, and the rationals on "why" for password rules are here:
For example the current set of recommendation, and the rationales on "why" for password rules are here:

before implementing or specifying web applications.

For example the current set of recommendation, and the rationals on "why" for password rules are here:
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we make this a more user friendly clickable hyperlink?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it also make sense to reference the actual revised NIST guidelines, here: https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret
and the use of good meters, such as zxcvbn?

Afterall, it was versions of those guidelines in the past that gave s the nightmare that we see today...

@duffn
Copy link
Owner

duffn commented Feb 15, 2023

Thanks for your previous submission!

I'm still interested in something here, but note that I've migrated from the README to a full site (#443). If you'd like to add a section on the about page that notes how best to not get on the list, I'm happy to take another look

@allan-simon
Copy link
Author

no problem I will try to take a look at it.

@abernh
Copy link

abernh commented Mar 4, 2023

@allan-simon are you still on it? I stumbled today over this project and had instantly the same complain as you did ... 3 years ago 😆 so here I am, willing to lend a hand in a fitting addendum for the "about" page.

I went over the current state of the NIST guidelines and based on that I'd suggest the following additional paragraph after "What makes a dumb password?"

"What makes a good password policy?"
The current NIST guidelines for passwords recommend:

  1. Longer passwords (>12 characters)
    but recommend even longer ones (passphrases with +64 characters)
  2. Don't require password complexity
    but screenout common passwords like "password" or "123456" (see also zxcvbn, "a password strength estimator inspired by password crackers")
  3. Avoid mandatory password changes
    except in cases of suspected compromise.
  4. Allow copy-paste
    to facilitate the use of password managers.
  5. Use two-factor authentication (2FA) or multi-factor authentication (MFA), especially for high-value accounts.

@allan-simon
Copy link
Author

@abernh if you want to replace my PR, feel free, I don't think I would have the time any time soon.

NIST actually state > 8 characters , and for 2) yes and point out that services like https://haveibeenpwned.com/ provide API for that, and all major web framework I know of (laravel, django, symfony , ruby on rails) do provide integration with it.

abernh added a commit to abernh/dumb-password-rules that referenced this pull request Mar 5, 2023
@abernh
Copy link

abernh commented Mar 5, 2023

True, it's just 8 characters. Well spotted.

I added the API reference and created a new PR #497

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants