On Mon, Jun 11, 2018, at 19:43, Gould, James wrote: > In thinking about decreasing the minimum from 8 to 1, I have a concern > that we're going to support a minimum that is below the existing RFC > 5730 of 6 characters. I believe it would be best for the Login Security > Extension to at least support the existing 6 character minimum with the > added language that Scott proposed “Servers SHOULD enforce minimum and > maximum password length requirements that are appropriate for their > operating environment. One example of a guideline for password length > policies can be found in <blah blah> [reference here]". Scott's > language can be added to the Security Considerations section of the > draft. > > Let me know if this will work.
I do not oppose that if this is the consensus but I still see it as pointless to provide *any* specific minimum limit here, and I do not see the problem with going lower than RFC5730 since this extension is optional and, hopefully, if it is used it means the relevant registry has decided to put more energy and work around security measures so you could hope they would deal with this minimum issue gracefully (that is enforcing something higher than 6, and not lower, if they do define the space of characters allowed too). -- Patrick Mevzek _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
