Updated authentication.md and linked MFA #1520 #1576
Merged
+1
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…veloper03/CheatSheetSeries into Updated_authentication.md
eth-developer03
requested review from
kwwall,
mackowski,
jmanico and
szh
as code owners
8 tasks
szh
requested changes
Jan 6, 2025
| @@ -36,7 +36,8 @@ A key concern when using passwords for authentication is password strength. A "s | |||
| - **Maximum** password length should be **at least 64 characters** to allow passphrases ([NIST SP800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html)). Note that certain implementations of hashing algorithms may cause [long password denial of service](https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-service/). | |||
| - Do not silently truncate passwords. The [Password Storage Cheat Sheet](Password_Storage_Cheat_Sheet.md#maximum-password-lengths) provides further guidance on how to handle passwords that are longer than the maximum length. | |||
| - Allow usage of **all** characters including unicode and whitespace. There should be no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters. | |||
| - Ensure credential rotation when a password leak occurs, or at the time of compromise identification. | |||
| - Ensure credential rotation when a password leak occurs, at the time of compromise identification or when authenticator technology changes. Avoid requiring periodic password changes; instead, encourage users to pick strong passwords and enable [Multifactor Authentication Cheat Sheet (MFA)](Multifactor_Authentication_Cheat_Sheet.md). According to NIST guidelines, verifiers should not mandate arbitrary password changes (e.g., periodically). | |||
| According to [NIST guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html), verifiers should not mandate arbitrary password changes (e.g., periodically). | |||
There was a problem hiding this comment.
Suggested change
| According to [NIST guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html), verifiers should not mandate arbitrary password changes (e.g., periodically). |
This sentence is duplicated
Co-authored-by: Shlomo Zalman Heigh <[email protected]>
mackowski
approved these changes
Jan 7, 2025
tripeasy
approved these changes
Jan 12, 2025
tripeasy
approved these changes
Jan 12, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
You're A Rockstar
Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.
Please make sure that for your contribution:
[TEXT](URL)If your PR is related to an issue, please finish your PR text with the following line:
This PR fixes issue #1520.
Thank you again for your contribution 😃