Ahahah I just realized that hashcat 7 and NIST 800-63 v4 were released _on the same day_. I like the symmetry of that.
#hashcat #nist #sp80063
0
0
0
0
Hashtag
#sp80063
Advertisement · 728 × 90
Taken together:
> Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
and
> Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length […]
0
0
0
0
If you're using two factors _everywhere_ ... your passwords can be shorter.
> Verifiers and CSPs SHALL require passwords that are used as a single-factor authentication mechanism to be a minimum of 15 characters in length. Verifiers and CSPs MAY allow passwords that are only used as part of […]
0
1
0
0
At long last, the four-volume NIST SP 800-63-4, Digital Identity Guidelines, has been released! Looking forward to the online workshop discussing the documents. www.nist.gov/blogs/cybers... #SP80063
1
0
0
0
Also, for those folks who are using the entire multi-billion-hash HIBP corpus to block billions of passwords, take note (I've been saying this for _years_) -- the purpose of such denylists are to defend against _online_ / _interactive_ attack:
> Since the blocklist is used to defend against […]
0
0
0
0
New NIST SP800-63b on password length (seems solid):
> Users should be encouraged to make their passwords as long as they want within reason. Since the size of a hashed password is independent of its length, there is no reason to prohibit the use of lengthy passwords (or passphrases) if the […]
0
0
0
0
