[Coco] Mystic BBS

John E. Malmberg wb8tyw at qsl.net
Sat May 2 12:19:00 EDT 2020


On 9/30/2019 5:44 PM, phil pt wrote:
<snip>
> The password policy is set to force the user to change their psswords every
> 90 days. There is much more security feature that is included, but that is
> not public information.

You are out of compliance with current NIST requirements and 
recommendations.

https://pages.nist.gov/800-63-FAQ/#q-b05

NIST studies have verified that password expiration results in more easy 
to crack passwords.  So much more easier that NIST has banned the practice.

See also:

https://pages.nist.gov/800-63-FAQ/#q-b06

Recommended not to require special characters.

https://pages.nist.gov/800-63-FAQ/#q-b10

Recommended not to require composition rules.

I do not have a link handy, but there is an online copy of the study 
that NIST conducted.

A lot of things that alleged security professionals have been claiming 
about creating secure passwords turned out to be actually more harmful 
than good in real world tests.

This all aside from a password on a TELNET session is not secure from 
interception in route.

As long as the accounts are "captive" and limited in what they can do, 
(No e-mail, shell, or direct web browsing / serving), or secret files), 
there is really not much need of stronger passwords.

A higher risk is a bot creating accounts to post links that the spammer 
thinks will cause higher rankings of their pages.

Regards,
-John



More information about the Coco mailing list