[Coco] Mystic BBS
John E. Malmberg
wb8tyw at qsl.net
Sat May 2 12:19:00 EDT 2020
On 9/30/2019 5:44 PM, phil pt wrote:
<snip>
> The password policy is set to force the user to change their psswords every
> 90 days. There is much more security feature that is included, but that is
> not public information.
You are out of compliance with current NIST requirements and
recommendations.
https://pages.nist.gov/800-63-FAQ/#q-b05
NIST studies have verified that password expiration results in more easy
to crack passwords. So much more easier that NIST has banned the practice.
See also:
https://pages.nist.gov/800-63-FAQ/#q-b06
Recommended not to require special characters.
https://pages.nist.gov/800-63-FAQ/#q-b10
Recommended not to require composition rules.
I do not have a link handy, but there is an online copy of the study
that NIST conducted.
A lot of things that alleged security professionals have been claiming
about creating secure passwords turned out to be actually more harmful
than good in real world tests.
This all aside from a password on a TELNET session is not secure from
interception in route.
As long as the accounts are "captive" and limited in what they can do,
(No e-mail, shell, or direct web browsing / serving), or secret files),
there is really not much need of stronger passwords.
A higher risk is a bot creating accounts to post links that the spammer
thinks will cause higher rankings of their pages.
Regards,
-John
More information about the Coco
mailing list