I’ve seen some sites grade passwords from weak to strong instead of using explicit rules, but I’m not sure exactly how they’re graded. Probably some sort of entropy approximation.
That’s exactly what it is, and that is the correct way to do it.
All those ridiculous letter/case/symbol/number rules come from guidelines written by Bill Burr for NIST 20 years ago. He has since stated that he regrets them, and NIST has abandoned them. Because they’re actually counterproductive to security.
Would that my IT department had gotten the memo. They think NIST is god-tier, even when our own CS department is like… yeah, no. And personally, having worked with NIST researchers in fields that aren’t IT policy, I wonder how good their IT policy docs really are. The whole organization is bureaucracy getting in the way of good science and common sense.
I’ve seen some sites grade passwords from weak to strong instead of using explicit rules, but I’m not sure exactly how they’re graded. Probably some sort of entropy approximation.
That’s exactly what it is, and that is the correct way to do it.
All those ridiculous letter/case/symbol/number rules come from guidelines written by Bill Burr for NIST 20 years ago. He has since stated that he regrets them, and NIST has abandoned them. Because they’re actually counterproductive to security.
Would that my IT department had gotten the memo. They think NIST is god-tier, even when our own CS department is like… yeah, no. And personally, having worked with NIST researchers in fields that aren’t IT policy, I wonder how good their IT policy docs really are. The whole organization is bureaucracy getting in the way of good science and common sense.
Yup. Hard to remember, easy to guess.
Isn’t Bill Burr a comedian, though?Different Burr.