On Fri, Dec 3, 2021 at 1:17 PM Kurt Seifried <k...@seifried.org> wrote:
>
>
> Not Using Password Aging - (262)
> https://cwe.mitre.org/data/definitions/262.html
>
> Password Aging with Long Expiration - (263)
> https://cwe.mitre.org/data/definitions/263.html
>
> REFERENCES needs updating with:
>
> https://pages.nist.gov/800-63-3/sp800-63b.html

+1. You never throw away a good secret based on [misguided] policy.

>From Security UX studies, we know each time a user is required to come
up with a new password, the new password gets weaker and weaker until
it approaches a minimum.

Here's a better reference. Peter Gutmann stated this long before NIST,
and he even cited the Security UX studies:
https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf

Jeff

Reply via email to