I completely support this NIST policy, James. Unfortunately, the PCI Security Standards Council does not support this policy at this time. In order for a company to be PCI compliant, users must change their passwords every three months. PCI compliance is essential for companies to adhere to when they are processing credit cards. There are ways around the requirements; companies could basically out-source credit card processing to other companies such as Stripe or Square, but they need to know what they are doing to maintain compliance.
https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Strong-Passwords.pdf?agreement=true&time=1549638814227 From: django-users@googlegroups.com [mailto:django-users@googlegroups.com] On Behalf Of James Bennett Sent: Friday, February 8, 2019 9:00 AM To: django-users@googlegroups.com Subject: Re: Password Policy Adherence. Cannot use the passwords used before I'm going to suggest you step back and consider whether the policies you want to implement are good policies. A good, solidly-researched set of recommendations is NIST SP800-63B: https://pages.nist.gov/800-63-3/sp800-63b.html In particular, NIST suggests the following: * Do not use a policy which automatically "expires" passwords and forces users to change them periodically. Only force a password change when you have evidence that a password has been compromised. * Do not try to impose artificial "complexity" rules (like requiring a mix of uppercase/lowercase, numbers and symbols). * When a user changes their password, compare it against lists of known-compromised passwords. Forcing users to change their passwords on a set schedule just encourages them to choose weak passwords that are easy to remember. If you force me to change my password every three months, for example, here's what I'll do: * P@ssword!2019_1 * P@ssword!2019_2 * P@ssword!2019_3 * P@ssword!2019_4 These passwords are all different from each other, and they each contain at least one uppercase and one lowercase letter, at least one number and at least one symbol. They're also terrible passwords that would probably get cracked within minutes, if not seconds, by any good automated cracker. That's a year's worth of passwords, each of which is different from the last, each contains one -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com<mailto:django-users+unsubscr...@googlegroups.com>. To post to this group, send email to django-users@googlegroups.com<mailto:django-users@googlegroups.com>. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAL13Cg9Xi7QdCCffqROi_FjLzKimtWYBR%3DusMxf6ihf_E6%3D-9A%40mail.gmail.com<https://groups.google.com/d/msgid/django-users/CAL13Cg9Xi7QdCCffqROi_FjLzKimtWYBR%3DusMxf6ihf_E6%3D-9A%40mail.gmail.com?utm_medium=email&utm_source=footer>. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/7d7e9de09028498e8fca89973db6484f%40iss2.ISS.LOCAL. For more options, visit https://groups.google.com/d/optout.
