NIST Special Publication 800-63B
▻https://pages.nist.gov/800-63-4/sp800-63b.html
The following requirements apply to passwords:
– Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
– Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
– Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
– Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
– Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
– Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
– Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
– Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
– Verifiers SHALL verify the entire submitted password (i.e., not truncate it).
Il n’y a pas si longtemps, pour un nouveau client, nous avions été challengés sur la sécurité. Et un gars nous avait contraint à implémenter une expiration du mot de passe, à notre corps défendant.
Je suis donc heureux de vous apprendre que le NIST américain, l’équivalent de notre ANSSI, a publié un document indiquant que l’expiration des mots de passe ne devrait pas être mise en œuvre, et qu’imposer des règles de complexité non plus (mélanger différents types de caractères). Restent les bonnes pratiques comme accepter tous les caractères, y compris l’espace, y compris les unicodes, au moins 8 caractères, voire 15, accepter les mots de passe de 64 caractères...
Il était temps.