> On Jan 20, 2022, at 3:52 PM, Gavan Schneider <list.pg.gavan@pendari.org> wrote:
>
> On 21 Jan 2022, at 3:24, Daulat wrote:
>
>> Yes, you are right, I am planning for password complexity rules and to, force users to change their password.
>>
> While you are in the planning stages you may wish to review current best practice, e.g., USA National Institute of
Standardsand Technology.
>
> For me the most interesting aspect of the revised standard is how forcing password changes and complexity rules often
leadsto reduced security in the real world.
>
> Refer:
> https://pages.nist.gov/800-63-3/sp800-63-3.html
> https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/ (for a more human readable version :)
>
> Regards
>
> Gavan Schneider
Slightly off-topic, but I once ran into a system that would not allow kk1bsk#$ as a password because it contained a
dictionaryword.
Still wondering what dictionary they were using...