mirror of
https://github.com/GSA/notifications-admin.git
synced 2026-06-23 08:49:46 -04:00
0c704c246d
We see over and over in research that people are tripped up by the 10 character requirement because it’s longer than they are used to. Most sites require 6 or 8 characters for a password. It goes against the CESG advice which is to not try increasing password strength by increasing the burden on the user: > Traditionally, organisations impose rules on the length and complexity > of passwords. However, people then tend to use predictable strategies > to generate passwords, so the security benefit is marginal while the > user burden is high. https://www.cesg.gov.uk/guidance/password-guidance-simplifying-your-approach Instead we should be relying on: - [x] two factor authentication - [x] blacklisting common passwords - [ ] locking out users after a number of failed logins (not sure this is working)