@Jason, yes I believe I do need to research further when that action happens. the point where the password is hashed and stored in the User table. I'll continue to work on it.
@James, currently the requirements are non debatable for us developers in the company. The security team implemented the guidelines and by any means, they have to be implemented. (Even though the company apps don't even follow the policies!) I believe it's just additional work for developers, and makes the development time longer which equates to less value to customers. But I do appreciate the points you provided. When I have the chance to have a discussion with the security team, I will definitely bring up these points. On Fri, Feb 8, 2019 at 11:19 PM Matthew Pava <matthew.p...@iss.com> wrote: > I completely support this NIST policy, James. Unfortunately, the PCI > Security Standards Council does not support this policy at this time. In > order for a company to be PCI compliant, users must change their passwords > every three months. PCI compliance is essential for companies to adhere to > when they are processing credit cards. There are ways around the > requirements; companies could basically out-source credit card processing > to other companies such as Stripe or Square, but they need to know what > they are doing to maintain compliance. > > > > > https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Strong-Passwords.pdf?agreement=true&time=1549638814227 > > > > > > > > *From:* django-users@googlegroups.com [mailto: > django-users@googlegroups.com] *On Behalf Of *James Bennett > *Sent:* Friday, February 8, 2019 9:00 AM > *To:* django-users@googlegroups.com > *Subject:* Re: Password Policy Adherence. Cannot use the passwords used > before > > > > I'm going to suggest you step back and consider whether the policies you > want to implement are good policies. A good, solidly-researched set of > recommendations is NIST SP800-63B: > > > > https://pages.nist.gov/800-63-3/sp800-63b.html > > > > In particular, NIST suggests the following: > > > > * Do not use a policy which automatically "expires" passwords and forces > users to change them periodically. Only force a password change when you > have evidence that a password has been compromised. > > * Do not try to impose artificial "complexity" rules (like requiring a mix > of uppercase/lowercase, numbers and symbols). > > * When a user changes their password, compare it against lists of > known-compromised passwords. > > > > Forcing users to change their passwords on a set schedule just encourages > them to choose weak passwords that are easy to remember. If you force me to > change my password every three months, for example, here's what I'll do: > > > > * P@ssword!2019_1 > > * P@ssword!2019_2 > > * P@ssword!2019_3 > > * P@ssword!2019_4 > > > > These passwords are all different from each other, and they each contain > at least one uppercase and one lowercase letter, at least one number and at > least one symbol. They're also terrible passwords that would probably get > cracked within minutes, if not seconds, by any good automated cracker. > > That's a year's worth of passwords, each of which is different from the > last, each contains one > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-users+unsubscr...@googlegroups.com. > To post to this group, send email to django-users@googlegroups.com. > Visit this group at https://groups.google.com/group/django-users. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/CAL13Cg9Xi7QdCCffqROi_FjLzKimtWYBR%3DusMxf6ihf_E6%3D-9A%40mail.gmail.com > <https://groups.google.com/d/msgid/django-users/CAL13Cg9Xi7QdCCffqROi_FjLzKimtWYBR%3DusMxf6ihf_E6%3D-9A%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Django users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/django-users/RXEq0nWCPeQ/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > django-users+unsubscr...@googlegroups.com. > To post to this group, send email to django-users@googlegroups.com. > Visit this group at https://groups.google.com/group/django-users. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/7d7e9de09028498e8fca89973db6484f%40iss2.ISS.LOCAL > <https://groups.google.com/d/msgid/django-users/7d7e9de09028498e8fca89973db6484f%40iss2.ISS.LOCAL?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Kind Regards, Simon Arriola -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CABXH83rWdi7itb7O3Bs%2B3%3DW3dNozEDHZ6NMmo0ZfMEqUu%3DT5uA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
