On PCI DSS v4 and Passwords

7 December 2022

PCI DSS v4.0 & Passwords #

Several years of research have shown that frequent password rest cycles hurt the user, and the security of the password 1,2. Users tend to slightly modify the password rather than coming up with a new password. For example, changing MyPassword^ to MyPassword1^.

In addition, best practices suggest users have a minimum of 12 characters, mix alphanumeric and special symbols. Imagine applying this rule to each of our accounts, since passwords shouldn’t be reused. Most users do not store their password in a password manager, making these recommendations a burden and a challenge for people.