因為各種因素重看了一下原文, 部分摘要如下:
NIST特別出版論文800-63號《電子驗證指導原則》中規定制訂的密碼原則
在最新的版本(第三版),此文件由原本一份被拆分為四份文件,其中密碼原則部分落於800-63B Authentication and Lifecycle Management [1]。
在800-63B中,密碼規則主要敘述於Section 5.1.1 (Memorized Secret) ,以及Appendix A (Strength of Memorized Secrets)。其中5.1.1提供密碼規則的規範,Appendix A則提供密碼規則制定的理由的背景討論。
考量此文件與這次討論較有關部分, 節錄5.1.1 密碼規則規定如下: 1. Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. 2. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length. 3. No other complexity requirements for memorized secrets SHOULD be imposed. 4. When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. 5. Verifiers SHOULD offer guidance to the subscriber, such as a password-strength meter 6. the verifier SHALL limit consecutive failed authentication attempts on a single account to no more than 100. 7. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily
其中第三點規範密碼規則不應該要求複雜字元, 而應以黑名單及長度增加破解難度。第六點表示應限制密碼猜測頻率, 且在附錄A提到此機制應該要有足夠容許用戶打錯密碼的機會並避免造成DoS攻擊。第七點規定系統不應該要求用戶定期改密碼。