Not Using Password Aging - (262)

Password Aging with Long Expiration - (263)

REFERENCES needs updating with: Memorized Secret Verifiers

Verifiers SHOULD NOT impose other composition rules (e.g., requiring
mixtures of different character types or prohibiting consecutively repeated
characters) for memorized secrets. Verifiers SHOULD NOT require memorized
secrets to be changed arbitrarily (e.g., periodically). However, verifiers
SHALL force a change if there is evidence of compromise of the

And ideally, we should rewrite BOTH of these CWE's to state "these are

Kurt Seifried (He/Him)

Reply via email to