Re: [Discuss] CEP-24 Password validation and generation

Hi Brad, your link about not enforcing regular password expiration for users is spot on. For these reasons I decided to not expand that CEP in that direction. Sure, technically possible, but practically questionable. I think that all these guides and recommendations should be looked at from the

Re: [Discuss] CEP-24 Password validation and generation

I would suggest reviewing the guidelines in sec in 5.1.1.2 of NIST Special Publication 800-63B and the NCSC Password policy: updating your approach - NCSC.GOV.UK

Re: [Discuss] CEP-24 Password validation and generation

Thanks Andrés. After careful consideration, I think it would be better if the initial implementation dropped the validation of a password against the previous ones so people can not re-use them too often. This feature would bring additional complexity and new table in system_auth keyspace. It i