Update: Authentication_Cheat_Sheet.md

[NicolaiSoeborg]

What is missing or needs to be updated?

The current Authentication page is not aligned with:

• best practice for mandatory password rotation (which is to avoid mandatory periodically rotations, see a comparison here: https://søb.org/password/ )
• OWASP's own "A07:2021 – Identification and Authentication Failures" recommendations (which tells to follow NIST SP 800-63b)

Some good quotes:

NIST: Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)

Microsoft: Password expiration requirements do more harm than good

How should this be resolved?

This line does not make sense:

Ensure credential rotation when a password leak occurs, or at the time of compromise identification.

Password leak occurs all the time, and we do not want to force people to change their (potentially) good password for a new (potentially) bad password. Instead we should "annoy" the user with 2FA/MFA, tell them to use a password manager, etc

Suggestion for a new phrasing:

Avoid requiring periodic password changes; instead, encourage users to pick a strong passwords and enable MFA.

[jmanico]

NIST suggests that the only time to rotate passwords is in the case of password data being compromised. So I suggest:

Avoid requiring periodic password changes; instead, encourage users to pick a strong passwords and enable MFA. Consider password rotation only in case of compromise or when authenticator technology is changed.

[eth-developer03]

Hi @jmanico, could you please assign this issue to me? I'd like to take ownership and resolve it

[eth-developer03]

@jmanico ?

[jmanico]

All set, thank you @szh