Password security (was: Changed password on Arch, now ssh cannot connect - "Connection refused")

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



All,

Sorry for hijacking the thread, just want to make a small correction.

On 29/08/2024 10:53, David C. Rankin <drankinatty@xxxxxxxxx> wrote:

> I changed my password [...] (as you should do
>  every so often).

It is no longer recommended to enforce any periodic password changes. See, e.g. NIST recommendation[1]:

> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).

While password expiration used to be recommended, subsequent research showed that this does more harm than good, due to users tending to choose passwords that are easier to remember, or reuse passwords across multiple services. 

Instead, the modern recommendation is to use two-factor authentication and to implement password blacklists.

Of course, this is primarily important for managing multiple user environments, and if you feel like you should change your own password every once in a while, there's no harm in that.

Kind regards,
-- 
Edward

[1] https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret

Attachment: publickey - edward.toroshchyn@pm.me - 0xEDCD8534.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux