Paco Hope@paco@infosec.exchange
Any #infosec folks wanna help me with some decent data to backup the following point? I am trying to make the point to some executives that a #password policy requiring minimum 8 characters with 1 symbol, mixed case, and 1 number is just not reasonable in 2025. (I'm commenting on another company's policy, not my own!)
What is a good example of a policy (e.g., NIST 800-63 or whatever) that said 49 bits was no good?
I currently say: 49 bits of entropy was unacceptably low in 2005. It is unthinkably low in 2025. What can I point to that might resonate better than "bits of entropy?"
Using the classic method with Shannon's estimate, I figure it's on the order of 49 bits of entropy but that's only if it's purely random from the full character set, and we konw that's not true.
I'm not looking for rhetorical suggestions. I'm good at rhetoric. I'm looking for references I can point to (like "XYZ published in 2011 that the minimum acceptable password was 56 bits of entropy")
feel free to boost for fun
#security #cybersecurity
Pseudonymous :antiverified:@VictimOfSimony@infosec.exchange
@paco@infosec.exchange
With how often this came up this week I feel like I should just have a bot that replies with this article. 
https://arstechnica.com/security/2024/09/nist-proposes-barring-some-of-the-most-nonsensical-password-rules