Skip to content

Instantly share code, notes, and snippets.

@technion

technion/Password References.md

Last active June 11, 2025 12:07
Show Gist options
  • Save technion/65c652194fb1427e6828ea23ff46d280 to your computer and use it in GitHub Desktop.
Save technion/65c652194fb1427e6828ea23ff46d280 to your computer and use it in GitHub Desktop.
Download ZIP
A set of references on modern password policies
Raw
Password References.md

References on modern password policies

Below links reference organisation, reference link and relevant quote

NIST

https://github.com/usnistgov/800-63-3/blob/nist-pages/sp800-63b/sec5_authenticators.md

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Microsoft Guidelines

https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf

Password expiration policies do more harm than good

Australian Government

https://www.staysmartonline.gov.au/alert-service/new-guidelines-creating-strong-passwords

Stop frequently changing passwords, for example each month, as it leads to poor passwords being created

UK National Cyber Security Centre

https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry

The NCSC now recommend organisations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords

US FTC

https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes

While some experts began questioning this practice at least a decade ago, it was only in the past few years that published research provided evidence that this practice may be less beneficial than previously thought, and sometimes even counterproductive.

@rptaylor
Copy link

@technion
I added two references: Government of Canada and ENISA.
https://gist.github.com/rptaylor/44edb4ca7e4166619f0013cd5b461cb7
Can you pull the update?

@technion
Copy link
Author

@rptaylor thanks I will do tomorrow.

@hb-i the title says exactly what it is.

@jpayoung
Copy link

jpayoung commented May 2, 2024

Government of Canada's link updated to: https://www.canada.ca/en/government/system/digital-government/online-security-privacy/password-guidance.html#toc3-2

@jpayoung
Copy link

jpayoung commented May 2, 2024
edited
Loading

@technion would you be okay if I fork / port this to a repo which others can contribute to? (Or if you have one already, I'll contribute there). Cheers!

@technion
Copy link
Author

technion commented May 4, 2024

You're most welcome to fork this. Hopefully you'll have better luck than I've had in convincing people what a modern best practice looks like.

@jpayoung
Copy link

jpayoung commented May 4, 2024
edited
Loading

We'll see! Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment