jkaufman-mitre
commented
3 months ago @adhilto I will talk to our team as I was not around when that policy was initially created.
Open adhilto opened 3 months ago
jkaufman-mitre
commented
3 months ago @adhilto I will talk to our team as I was not around when that policy was initially created.
jkaufman-mitre
commented
3 months ago @adhilto I am wondering if they got that number from this Google article:
jkaufman-mitre
commented
2 months ago @adhilto After discussion internally, we are going to keep it at minimum as 12 and cited the google recommendation from the article above. Even though NIST says 8 characters, Google says 12 and DISA standards is 15.
buidav
commented
2 months ago Recommend we add that link and add to the rationale where the number came from.
As the Common Controls 5.2 policy currently sits there is no reference to that article in the resource links and the justification for the password 12 character limit is NIST 600-63B which is recommending only 8 characters.
With regard to GWS.COMMONCONTROLS.5.2, what is the motivation for the number 12? More is obviously stronger, but NIST guidance specifies 8 characters (https://pages.nist.gov/800-63-3/sp800-63b.html). Is there a specific reason we're deviating from NIST guidance (beyond "more is better")?