update readme to not be plain and simple shaming

[allan-simon]

so that we can also educate people on how to not be on that list

[duffn]

Thanks for your previous submission!

I'm still interested in something here, but note that I've migrated from the README to a full site (https://github.com/duffn/dumb-password-rules/pull/443). If you'd like to add a section on the about page that notes how best to not get on the list, I'm happy to take another look

[allan-simon]

no problem I will try to take a look at it.

[abernh]

@allan-simon are you still on it? I stumbled today over this project and had instantly the same complain as you did ... 3 years ago :laughing: so here I am, willing to lend a hand in a fitting addendum for the "about" page.

I went over the current state of the NIST guidelines and based on that I'd suggest the following additional paragraph after "What makes a dumb password?"

"What makes a good password policy?" The current NIST guidelines for passwords recommend:

1. Longer passwords (>12 characters) but recommend even longer ones (passphrases with +64 characters)
2. Don't require password complexity but screenout common passwords like "password" or "123456" (see also zxcvbn, "a password strength estimator inspired by password crackers")
3. Avoid mandatory password changes except in cases of suspected compromise.
4. Allow copy-paste to facilitate the use of password managers.
5. Use two-factor authentication (2FA) or multi-factor authentication (MFA), especially for high-value accounts.

[allan-simon]

@abernh if you want to replace my PR, feel free, I don't think I would have the time any time soon.

NIST actually state > 8 characters , and for 2) yes and point out that services like https://haveibeenpwned.com/ provide API for that, and all major web framework I know of (laravel, django, symfony , ruby on rails) do provide integration with it.

[abernh]

True, it's just 8 characters. Well spotted.

I added the API reference and created a new PR https://github.com/duffn/dumb-password-rules/pull/497