-
-
Notifications
You must be signed in to change notification settings - Fork 627
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2.3.1 seems weak #1861
Comments
The number 6 comes from NIST:
But the requirement itself...
|
I'd like to bump this to 8 or 10 characters. 6 is the standard suggestion but 8-10 or even more is a lot better entropy since this is something a user would cut and paste. |
Taking Elar's suggestion in mind:
|
@tghosth - do we get it in or do you want to handle it during "rework"? |
So this requirement is talking about "system generated initial passwords or activation codes". I initially thought it was talking about or OTPs or TOTPs but I am pretty sure that is not the case. As such I think that upping the limit to match regular password length guidelines makes sense and I also think that complexity is relevant because this is randomly generated. I don't think it needs to be single use (and as discussed above single use is covered elsewhere) but it does need to be short lived. I agree that "These initial secrets must not be permitted to become the long term password" duplicates "short lived". As such, I would suggest the following: (Tag has changed following #1928)
|
Is the point, that the initial password can not be weaker than the permanent password? If yes, then we can just say, that "initial password must match with general password rules".
It just duplicates 2.1.1:
Why it must contain letters AND numbers? It is in conflict with composition rules:
If we want to say, that the initial password has the same strength as the permanent password, why do we need to have expire time? How short is short (it is not testable)? I think the goal for "securely randomly generated" + "short expires time" has the goal to allow shorter initial passwords. The summary: what is the precise goal for the requirement and what is the risk/attack vector it mitigates? |
|
@jmanico I also thought at first that this applied to OTPs such as 2FA codes sent through SMS. Would it make sense to mention that or include another requirement specific to these types of codes? |
I think this whole section is going to need to be significantly reworked @deleterepo My current suggestion is here: #1861 (comment) My responses to the feedback on this are here: #1861 (comment) Are there any other concerns on my suggestion? |
Hi @tghosth. Makes sense about it needing to be reworked. Apologies I think I missed your suggestion and re-read this thread. I agree with your suggestion here: #1861 (comment). Does this mean that this only applies to non-human passwords, and the upgrade to 8 characters is to align with NIST? For activation codes and 2FA codes, even Apple still uses 6 digits for that. |
A few thoughts:
|
Can we please bump this to 8 so we are in line wth other password size requirements?
The text was updated successfully, but these errors were encountered: