pass-requirements
In accordance with NIST SP800-63B version 4, we require:
- Minimum password length: 15
- Password must not contain username (or vice versa)
- Password must not be on a list of known trivial or compromised passwords
Existing accounts created before this policy was adopted in 2024 may have weaker passwords, but in the absence of compromise we do not force them to be changed. (Passwords older than July, 2019, were expired after a compromise.)
Not every user interface for changing passwords is currently able to check the database of compromised passwords.