Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(about): add paragraph about good password policy #497

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat(about): add paragraph about good password policy #497

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
74e7eaa
feat(about): add paragraph about good password policy
abernh Mar 5, 2023
6efe825
fix(about): css cleanup
abernh Mar 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions src/pages/about.njk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,37 @@ permalink: "/about/"
</p>
</dd>
</div>
<div class="pt-8 lg:grid lg:grid-cols-12 lg:gap-8">
<dt class="text-base font-semibold leading-7 text-gray-900 lg:col-span-5">What makes a good password policy?</dt>
<dd class="mt-4 lg:col-span-7 lg:mt-0 text-gray-600">
<p class="text-base leading-7 text-gray-600">
The <a class="underline text-red-600" href="https://pages.nist.gov/800-63-3/sp800-63b.html#5-authenticator-and-verifier-requirements" target="_blank">
current NIST guidelines for passwords</a>
state:
</p>

<ol class="ml-2 mt-2 px-2 !list-outside">
<li class="mb-2"><strong>Longer passwords (>=8 characters)</strong><br/>
but recommend even longer ones (passphrases with +64 characters)</li>
<li class="mb-2"><strong>Don't require password complexity</strong><br/>
like caps, special chars, etc., instead disallow bad
or blacklisted passwords like "password" or
"123456" by making use of
<ul class="ml-4 px-2 !list-outside">
<li>libs: e.g. <a class="underline text-red-600" href="https://github.com/dropbox/zxcvbn" target="_blank"><code>zxcvbn</code></a> ("a password strength estimator inspired by password crackers")
<li>APIs: e.g. <a class="underline text-red-600" href="https://haveibeenpwned.com/API/v3" target="_blank">haveibeenpwned API</a>
</ul>
</li>
<li class="mb-2"><strong>Avoid mandatory password changes</strong><br/>
except in cases of suspected compromise.</li>
<li class="mb-2"><strong>Allow copy-paste</strong><br/>
to facilitate the use of password managers.</li>
<li class="mb-2"><strong>Use two-factor authentication (2FA)</strong><br/>
or multi-factor authentication (MFA), especially for high-value accounts.
</li>
</ol>
</dd>
</div>
<div class="pt-8 lg:grid lg:grid-cols-12 lg:gap-8">
<dt class="text-base font-semibold leading-7 text-gray-900 lg:col-span-5">I found a password rule that I
think is dumb. Can I add it to this list?</dt>
Expand Down