Quote:
Originally Posted by PR_Phil
https://www.pcisecuritystandards.org...pci_dss_v2.pdf
I have nothing to say about Paxum here, but that is a link to PCI DDS requirements for Data Security.
rule 8.5.9 - Change user passwords at least every 90 days.
rule 8.5.10 - Require a minimum password length of at least seven characters.
rule 8.5.11 - Use passwords containing both numeric and alphabetic characters.
rule 8.5.12 - Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.
rule 8.5.13 - 3 Limit repeated access attempts by locking out the user ID after not more than six attempts.
if you go to that link and scroll to page 49, you can view a complete list of the rules regarding user passwords, I would expect a company that controls peoples money to follow PCI regulations.
|
Wow, that's not secure at all... "Hey not only are we gonna require you to change your password every 3 months, but we're also gonna store your last 4 passwords to make sure you don't use them either." Great way to give access to all your shit.
Fact of the matter is, no password storage or hashing or anything security related matters when your users use easily guessed passwords... This is just an inconvenience for the users and will just make them rotate between a select few passwords, making the whole security aspect of it worthless..