Aaron Toponce ⚛️:debian: on Nostr: I've been screaming this for years. Service providers that provide authentication ...
I've been screaming this for years. Service providers that provide authentication should do these two things at a minimum:
1. Require at least 12 characters.
2. Use ZXCVBN to estimate password strength and require a score of 4.
Interestingly enough, if you do those two things, you don't have to have stupid password complexity requirements, and you don't need a blacklist, as 12+ characters with a ZXCVBN score of 4 won't show up in password database breaches.
https://www.cc.gatech.edu/news/largest-study-its-kind-shows-outdated-password-practices-are-widespread
#passwords
1. Require at least 12 characters.
2. Use ZXCVBN to estimate password strength and require a score of 4.
Interestingly enough, if you do those two things, you don't have to have stupid password complexity requirements, and you don't need a blacklist, as 12+ characters with a ZXCVBN score of 4 won't show up in password database breaches.
https://www.cc.gatech.edu/news/largest-study-its-kind-shows-outdated-password-practices-are-widespread
#passwords