> On Jan 20, 2022, at 3:52 PM, Gavan Schneider <list.pg.gavan@xxxxxxxxxxx> wrote: > > On 21 Jan 2022, at 3:24, Daulat wrote: > >> Yes, you are right, I am planning for password complexity rules and to, force users to change their password. >> > While you are in the planning stages you may wish to review current best practice, e.g., USA National Institute of Standards and Technology. > > For me the most interesting aspect of the revised standard is how forcing password changes and complexity rules often leads to reduced security in the real world. > > Refer: > https://pages.nist.gov/800-63-3/sp800-63-3.html > https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/ (for a more human readable version :) > > Regards > > Gavan Schneider Slightly off-topic, but I once ran into a system that would not allow kk1bsk#$ as a password because it contained a dictionary word. Still wondering what dictionary they were using...
