KatieMcInnis
commented
5 years ago -
Agree that defining the terms would be good. However, I worry that adding these definitions would make this already unwieldy digital standard even more so. Is there a good place to define these terms? Should we have a glossary stored on the github?
-
How about: "If the product uses a password/passphrase for authentication, the password, at a minimum, be at least 8 characters long" and "If the product uses a password/passphrase for authentication, the product supports longer passwords of 20+ characters." Does that work?
-
We have been interpreting that indicator as including such actions. For instance, receiving an email to notify you that your password has changed falls underneath this category. Knowing that, do you still recommend we make this indicator more specific?
-
Interesting! What do you recommend?
Thanks, @TatevSarg !
secretrobotron
Congrats on expanding the authentication section. The new criteria and indicators look great!! A couple of minor suggestions to consider.
Define “reasonably complex” in “If the product uses a password/passphrase for authentication, it requires that passwords are reasonably complex.”
Define “sufficiently sensitive data,” “brute-force/dictionary attacks,” and maybe even “multi-factor authentication”
Clarify the distinction between the following two indicators: “If the product uses a password/passphrase for authentication, it requires that passwords are at least 8 characters long.” and “If the product uses a password/passphrase for authentication, the password/passphrase may be at least 20 characters long.”
Consider adding an indicator or expanding “The product notifies users when account security settings have changed,” to include notice about any unusual account activity and possible unauthorized access to users’ account (e.g., notice about incorrect log-in attempts).
Consider adding an indicator regarding the ability and process to recover locked accounts.