adhilto
commented
18 hours ago NIST's guidance is: "Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length." We might want to also adopt as split SHALL/SHOULD approach here as well rather than just upping the SHALL minimum to 15.
https://cybersecuritynews.com/nist-rules-password-security/ https://pages.nist.gov/800-63-3/sp800-63b.html
New NIST Guidelines change password recommended length to 15 so GWS.COMMONCONTROLS.5.2v0.3 should be updated from the current length of 12