auralon
commented
6 years ago Hi @ftrotter, I'm aware that NIST also took a more relaxed approach to their password recommendations recently also, but these security features were implemented based on recommendations from OWASP . As far as web application security goes, they tend to be a highly trusted source.
In this day and age, people really should be using a password manager, so having unique strong passwords for every online account shouldn't be a burden, but I realise that not everyone makes use of these tools. Passwords will, at some point, become entirely useless and antiquated, but for now we're still stuck with them.
Also, adding social logins is planned for the future, the groundwork has already been laid.
Most of what you are doing has been shown to be ineffective by recent research.
https://www.semperis.com/microsoft-upends-traditional-password-recommendations-with-significant-new-guidance/
Why not enable social logins and/or other forms of two factor authentication to better prevent attacks?
-FT