
New Password Guidelines from the National Institute of Standards and Technology - jbkly7
https://venturebeat.com/2017/04/18/new-password-guidelines-say-everything-we-thought-about-passwords-is-wrong/
======
jdashg
Punching through to the actual draft, I see this allowance for passwords:

"Verifiers MAY remove multiple consecutive space characters, or all space
characters, prior to verification provided that the result is at least 8
characters in length."

It really stands out compared to the transparently-reasoned requirements
around it, though this rationale is provided later:

"Users should also be able to include space characters to allow the use of
phrases. Spaces themselves, however, add little to the complexity of passwords
and may introduce usability issues (e.g., the undetected use of two spaces
rather than one), so it may be beneficial to remove spaces in typed passwords
prior to verification."

I still dislike that it breaks the "just hash what I enter" axiom.
(normalizing unicode aside, obviously) At least it's "MAY"!

------
paulddraper
Ugh with the headlines. It's a DRAFT.

This doesn't change NIST guidelines or PCI requirements or anything. (Yet.)

