Fen Labalme • March 2, 2023 6:44 PM

I like the password policies according to NIST SP 800-63b guidelines as follows:

All users will be required to have strong “memorized secret” passwords/passphrases that:

• Are at least 16 characters in length (allowing up to 255 characters)
• Do not match a dictionary of known breached passwords and other common phrases
• Have sufficient complexity and entropy (make use of zxcvbn)
• Cannot be changed until they have been in use at least 5 days
• Do not match any of the previous 25 passwords used //

mark • March 2, 2023 1:00 PM

And NIST guidelines, as of three years ago, were that you don’t need to change your passwords more than every couple of years.

https://pages.nist.gov/800-63-3/