Fixing issue #1520 and fixing previous error #1572
Conversation
eth-developer03
requested review from
kwwall,
mackowski,
jmanico and
szh
as code owners
| @@ -36,7 +36,8 @@ A key concern when using passwords for authentication is password strength. A "s | |||
| - **Maximum** password length should be **at least 64 characters** to allow passphrases ([NIST SP800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html)). Note that certain implementations of hashing algorithms may cause [long password denial of service](https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-service/). | |||
| - Do not silently truncate passwords. The [Password Storage Cheat Sheet](Password_Storage_Cheat_Sheet.md#maximum-password-lengths) provides further guidance on how to handle passwords that are longer than the maximum length. | |||
| - Allow usage of **all** characters including unicode and whitespace. There should be no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters. | |||
| - Ensure credential rotation when a password leak occurs, or at the time of compromise identification. | |||
There was a problem hiding this comment.
I don't think this should be removed - its still accurate that if a breach occurs then passwords should be rotated.
There was a problem hiding this comment.
@szh - You don't think this sentence on the next line adequately addresses that?
Consider password rotation only in case of compromise or when authenticator technology is changed.
I guess it could be worded more strongly, such as:
Ensure credential changes take place if a compromise is detected ...
But I thought it more or less addressed the same concern.
There was a problem hiding this comment.
Yeah, I think "consider" isn't strong enough. If there's a breach, passwords MUST be rotated.
There was a problem hiding this comment.
Ok I'll change it
| @@ -36,7 +36,8 @@ A key concern when using passwords for authentication is password strength. A "s | |||
| - **Maximum** password length should be **at least 64 characters** to allow passphrases ([NIST SP800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html)). Note that certain implementations of hashing algorithms may cause [long password denial of service](https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-service/). | |||
| - Do not silently truncate passwords. The [Password Storage Cheat Sheet](Password_Storage_Cheat_Sheet.md#maximum-password-lengths) provides further guidance on how to handle passwords that are longer than the maximum length. | |||
| - Allow usage of **all** characters including unicode and whitespace. There should be no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters. | |||
| - Ensure credential rotation when a password leak occurs, or at the time of compromise identification. | |||
There was a problem hiding this comment.
@szh - You don't think this sentence on the next line adequately addresses that?
Consider password rotation only in case of compromise or when authenticator technology is changed.
I guess it could be worded more strongly, such as:
Ensure credential changes take place if a compromise is detected ...
But I thought it more or less addressed the same concern.
You're A Rockstar
Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.
Please make sure that for your contribution:
[TEXT](URL)If your PR is related to an issue, please finish your PR text with the following line:
This PR fixes issue #1520 .
Thank you again for your contribution 😃