DEV Community

Discussion on: 10 best practices to protect your users’ data (and why they’re still not sufficient)

View post
Collapse
 
mjrider profile image
Robbert Müller

On point 2:

the 'wisdom' of this age is to not rotate passwords on time but when there are indications that it is needed.

see: nakedsecurity.sophos.com/2016/08/1...

to list the do not do's

  • No composition rules.
  • Let people choose freely, and encourage longer phrases instead of hard-to-remember passwords or illusory complexity such as pA55w+rd.
  • No password hints.
  • Knowledge-based authentication (KBA) is out. KBA is when a site says, “Pick from a list of questions – Where did you attend high school...
  • No more expiration without reason.