On Thu, Feb 18, 2021 at 6:17 PM divoplade <d...@divoplade.fr> wrote:
> Fortunately, there are very few international problems that need to > look at individual characters of a string. Your password rules example > is arguably one of them, although it may make non-latin users angry > (this upper case / lower case distinction does not work in chinese, as > far as I know). The 2017 (U.S.) NIST password guidelines no longer limit what characters can appear in a password: in particular, spaces, Chinese characters, and emoji are fine. Here is the complete list of guidelines, which are binding on the U.S. government but recommended for everyone: 1) Passwords must be 8 characters or more but not more than 64 characters, and must be hashed and salted before being stored. Password length is the primary defense against password cracking. (Note that a password assigned by the system such as a PIN may have as few as 6 digits.) 2) All Unicode characters should be allowed unless they are forbidden by the underlying system. Runs of repeated or consecutive characters, however, are not allowed. 3) Pasting text should be allowed wherever possible, so as to encourage the use of password managers. 4) Password hints are not allowed. They weaken security. 5) Enforcing periodic password changes is not allowed. They decrease usability and encourage users to use the same or similar passwords, which causes the increased security to be negligible. 6) Enforcing password complexity requirements like the use of lower case, upper case, digits, etc. is not allowed. The security they add is negligible. 7) Passwords must be screened against a list of commonly used passwords, known compromised passwords, and dictionary words, as password cracking programs will usually try such passwords first. John Cowan http://vrici.lojban.org/~cowan co...@ccil.org Work hard / play hard, co...@ccil.org die young / rot quickly.
