Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update readme to not be plain and simple shaming #219

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

update readme to not be plain and simple shaming #219

wants to merge 1 commit into from

Conversation

allan-simon
Copy link

so that we can also educate people on how to not be on that list

@allan-simon
update readme to not be plain and simple shaming
15fec0a 
so that we can also educate people on how to not be on that list
@smtchahal smtchahal mentioned this pull request Apr 30, 2022
Closed
rpdelaney
rpdelaney reviewed Jun 24, 2022
View reviewed changes
README.rst
We recommend you that in the future you refer to the OWASP (Open Web Application Security Project)
before implementing or specifying web applications.

For example the current set of recommendation, and the rationals on "why" for password rules are here:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
For example the current set of recommendation, and the rationals on "why" for password rules are here:
For example the current set of recommendation, and the rationales on "why" for password rules are here:

rpdelaney
rpdelaney reviewed Jun 24, 2022
View reviewed changes
README.rst
before implementing or specifying web applications.

For example the current set of recommendation, and the rationals on "why" for password rules are here:
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we make this a more user friendly clickable hyperlink?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it also make sense to reference the actual revised NIST guidelines, here: https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret
and the use of good meters, such as zxcvbn?

Afterall, it was versions of those guidelines in the past that gave s the nightmare that we see today...

@duffn
Copy link
Owner

duffn commented Feb 15, 2023

Thanks for your previous submission!

I'm still interested in something here, but note that I've migrated from the README to a full site (#443). If you'd like to add a section on the about page that notes how best to not get on the list, I'm happy to take another look

@duffn duffn mentioned this pull request Feb 15, 2023
Open
@allan-simon
Copy link
Author

no problem I will try to take a look at it.

@abernh
Copy link

abernh commented Mar 4, 2023

@allan-simon are you still on it? I stumbled today over this project and had instantly the same complain as you did ... 3 years ago 😆 so here I am, willing to lend a hand in a fitting addendum for the "about" page.

I went over the current state of the NIST guidelines and based on that I'd suggest the following additional paragraph after "What makes a dumb password?"

"What makes a good password policy?"
The current NIST guidelines for passwords recommend:

  1. Longer passwords (>12 characters)
    but recommend even longer ones (passphrases with +64 characters)
  2. Don't require password complexity
    but screenout common passwords like "password" or "123456" (see also zxcvbn, "a password strength estimator inspired by password crackers")
  3. Avoid mandatory password changes
    except in cases of suspected compromise.
  4. Allow copy-paste
    to facilitate the use of password managers.
  5. Use two-factor authentication (2FA) or multi-factor authentication (MFA), especially for high-value accounts.

@allan-simon
Copy link
Author

@abernh if you want to replace my PR, feel free, I don't think I would have the time any time soon.

NIST actually state > 8 characters , and for 2) yes and point out that services like https://haveibeenpwned.com/ provide API for that, and all major web framework I know of (laravel, django, symfony , ruby on rails) do provide integration with it.

abernh added a commit to abernh/dumb-password-rules that referenced this pull request Mar 5, 2023
@abernh
feat(about): add paragraph about good password policy
74e7eaa 
see also duffn#219
@abernh abernh mentioned this pull request Mar 5, 2023
Open
@abernh
Copy link

abernh commented Mar 5, 2023

True, it's just 8 characters. Well spotted.

I added the API reference and created a new PR #497

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kvaradhan3 kvaradhan3 kvaradhan3 left review comments

@rpdelaney rpdelaney rpdelaney left review comments

@adrienthiery adrienthiery adrienthiery approved these changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@allan-simon @duffn @abernh @rpdelaney @adrienthiery @kvaradhan3