From 837694845c99ceebe0720ae0e78965c24556af19 Mon Sep 17 00:00:00 2001 From: eth-developer03 Date: Sun, 5 Jan 2025 11:24:30 +0530 Subject: [PATCH] linking MFA with cheatsheet and updating authentication.sheet #1520 --- cheatsheets/Authentication_Cheat_Sheet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cheatsheets/Authentication_Cheat_Sheet.md b/cheatsheets/Authentication_Cheat_Sheet.md index 70a2bade08..e032b51aad 100644 --- a/cheatsheets/Authentication_Cheat_Sheet.md +++ b/cheatsheets/Authentication_Cheat_Sheet.md @@ -36,7 +36,7 @@ A key concern when using passwords for authentication is password strength. A "s - **Maximum** password length should be **at least 64 characters** to allow passphrases ([NIST SP800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html)). Note that certain implementations of hashing algorithms may cause [long password denial of service](https://www.acunetix.com/vulnerabilities/web/long-password-denial-of-service/). - Do not silently truncate passwords. The [Password Storage Cheat Sheet](Password_Storage_Cheat_Sheet.md#maximum-password-lengths) provides further guidance on how to handle passwords that are longer than the maximum length. - Allow usage of **all** characters including unicode and whitespace. There should be no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters. -- Avoid requiring periodic password changes; instead, encourage users to pick strong passwords and enable **Multi-Factor Authentication (MFA)**. Password rotation must only occur in cases of compromise or when authenticator technology changes. +- Ensure credential rotation when a password leak occurs, at the time of compromise identification or when authenticator technology changes. Avoid requiring periodic password changes; instead, encourage users to pick strong passwords and enable [Multifactor Authentication Cheat Sheet (MFA)](Multifactor_Authentication_Cheat_Sheet.md). According to NIST guidelines, verifiers should not mandate arbitrary password changes (e.g., periodically). According to [NIST guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html), verifiers should not mandate arbitrary password changes (e.g., periodically). - Include a password strength meter to help users create a more complex password and block common and previously breached passwords - [zxcvbn-ts library](https://github.com/zxcvbn-ts/zxcvbn) can be used for this purpose.