Collaborate Disseminate
I am aware of a bank (redacted for obvious reasons) that has the following password policy.
Only English alphanumeric characters
Min of 8, max of 14 characters
No special characters (ex. !@#$%^&* are all forbidden)
Passwords must be c… Continue reading What are the security implications of the password policy for this bank? [duplicate]
On a few rare instances, I’ve received an email from a website notifying me that my email and password were found in batch of harvested logins, and they then force me to change my password.
This has only happened on a few very old unused a… Continue reading How to monitor your user accounts for breached logins?
Recently, I’ve checked the some articles including R. E. Smith, The Strong Password Dilemma. ch. 6., Password Strength: An Empirical Analysis, Distance between two passwords and Password strength metrics. The mentioned strong password poli… Continue reading Password Strength Determination
Many websites have different requirements for a strong password (beyond simple length I mean). Anecdotally, I think these requirements are common:
Password must contain a mix of upper and lower case letters
Password must contain at least … Continue reading Is there data on the most common password strength requirements?
I’m looking for a set of documents from reputable sources that explicitly state that password (passphrase) length is exponentially more important than password complexity.
Consider the following password policies:
[a] Passwords must contai… Continue reading References for [password length] > [complexity] (Academic Papers, Government Guidelines, Standards Publications) [closed]
What are some Asian-equivalent organizations comparable to USA’s NIST?
I want to check the best practices and guidelines on computer security. Does anyone know if there are similar organizations in Asian countries that publish recommendati… Continue reading What are equivalent Asian organization of NIST, especially in the Security Computer Division? [closed]
NIST and OWASP ASVS recommends checking passwords against those obtained from previous data breaches. The list of such passwords can be downloaded from "Have I Been Pwned" (https://haveibeenpwned.com/Passwords), but there are mor… Continue reading Passwords verification against a set of breached passwords
What are the technical reasons not to use non-reversible transformation when encrypting password in database? That way, even when password database is leaked, nobody can read any password. If it is reversible ,it would fail to comply with … Continue reading What are the technical reasons not to use non-reversible transformation when encrypting password in database? [duplicate]
We have an open source software that allows users to be created. The users are saved in an LDAP directory. The software connects to the LDAP as an administrator to write a new entry for a new user, or to edit the password if the user wants… Continue reading The difficulty of securely storing a password
I’m currently setting up a KeePass database after switching over from another password manager, and it has the option to change the character set for generating a password.
This has a lot of options, but now I’m wondering if you could poss… Continue reading What characters should, and should I absolutely not use in generated passwords? [duplicate]