warmanaMOJ
commented
6 years ago Updates made, as follows:
- Remove explicit requirement for complex characters in passwords.
- Link to NCSC guidance on not requiring complex passwords.
- Add section on Blocking passwords.
Final draft visible here.
Changes reviewed and OK'd by Jennifer L. and Greg S.
Please may I request approval to publish?
cybersquirrel
Feedback was received, pointing out that NCSC guidance recommends avoiding a requirement for complex passwords. Further, having a suitable password block list, alerts on brute force attempts, a maximum tries lockout, and identification of attempted sign ins from unusual locations would all comply with the intent of the NCSC guidance while removing the need for complex passwords.
This issue will draft an updated version of the password standard, accordingly, for review purposes.