← Back to context

Comment by clwg

2 days ago

This requirement is in section 8.3.9 of the PCI DSS[0], and only applies to single-factor authentication implementations, two-factor auth removes this requirement.

[0] https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard...

10 comments

clwg

Reply
throwaway72046  2 days ago

Your broker/bank still needs to do it, unfortunately... someone please fix this :(

[0] https://www.finra.org/filing-reporting/entitlement/password-...

  • Mtinie  2 days ago

    > If the password length is 12 to 15 characters, it will be valid for 180 days

    > If the password length is 16 to 32 characters, it will be valid for 365 days

    Madness.

    • lofties  1 day ago

      I'm a big fan of "should not include profanity, words of a vulgar nature". It's not unthinkable my password manager comes up with a chain of letters that at one point will include "fuck".

      6 replies →

  • dmoy  2 days ago

    What's the scope of that? Not consumer accounts I imagine? I haven't had to change my bank account passwords in over a decade.