dumb-password-rules icon indicating copy to clipboard operation
dumb-password-rules copied to clipboard

Published 20 hours ago verified publisher icon duffn

Should we submit websites that have password reuse rules?

Open viperx77 opened this issue 5 years ago • 5 comments

Should we submit sites that that violate NIST's new recommendation for not password expiration?

NIST Summary

viperx77 avatar Sep 09 '19 20:09 viperx77

I wouldn't exactly consider checking the password with past passwords to be problematic, although it strongly suggests forced password resets (which are themselves problematic).

If a website, like, prevents reusing the old password because it was forcibly changed due to compromise, then preventing the user from changing password back is actually a good idea - after all, the credential was compromised.

KamilaBorowska avatar Sep 11 '19 13:09 KamilaBorowska

Sorry, I was meaning password expiration rules and not history. I have updated the title.

viperx77 avatar Sep 12 '19 20:09 viperx77

It's a PCI DSS requirement that you cannot reuse any of your last 4 passwords (section 8.2.5). Banks and other sites that provide financial services will need to conform with this rule.

nzgeek avatar Sep 20 '19 04:09 nzgeek

8.2.5 doesn't apply to user accounts, but accounts "with administrative capabilities and all accounts used to view or access cardholder data or to access systems with cardholder data". As a further clarification, PCI DSS even says "These requirements do not apply to accounts used by consumers (e.g., cardholders)."

Banks and other sites that provide financial services don't need to conform with this rule unless they allow viewing cardholder data of other users (viewing information of your own card is not an issue).

If an user has access to cardholder data of other users, resetting a password every 90 days is fine. I would say. Sure, it probably would be better to not require this, but not doing so wouldn't comply with PCI DSS. This isn't something that applies to most websites however.

KamilaBorowska avatar Sep 20 '19 07:09 KamilaBorowska

While the points under section 8.2 are only supposed to apply to non-consumer accounts, it's common for auditors to overlook this. I've encountered 3 separate PCI auditors who have applied the 8.2.5 rules to all types of user account.

It's certainly the path of least resistance to apply those rules to all user types, rather than argue with the auditor about who the rule applies to.

nzgeek avatar Sep 20 '19 10:09 nzgeek

If you consider it "dumb", I'll review any PRs that anyone would like to submit.

duffn avatar Feb 15 '23 02:02 duffn