Current NIST Password Requirements for 2025 (SP800-63b).

What’s gone:

❌ Required uppercase, numbers, and symbols
❌ Mandatory password resets every 90 days
❌ Arbitrary complexity policies

What’s required now:

✅ Minimum 8-character passwords (15+ for privileged accounts)
✅ Password screening against compromised credential databases
✅ Support for passwordless authentication and passkeys

Minimum Password Length Requirements

Password length serves as the cornerstone of NIST's updated authentication framework. While the baseline requirement mandates a minimum of 8 characters, security research reveals that passwords under 8 characters can be cracked within hours using modern computing power.

StrongDM has a good summary.

In my ongoing quest to implement PRNGs in pure Perl I'm adding the Marsaglia multiply-with-carry family to my collection. These were a little difficult because the math is all done in 128bits which requires a special emulation layer in Perl. The Perl version is much slower than the C version, but that's to be expected without native 128bit variable types.

I also implemented squares64 PRNG which was a little more straight forward. I learned that bitwise shifts are normally unsigned, but if we're in a use integer block bitwise shifts change to signed. This is not what we want so I ended doing a lot of use integer followed almost immediately by a no integer to make sure we're doing the math in the correct mode.

For the fourth year in a row I made it into the official Perl release notes. People get mentioned if they contribute code to the language. To be fair my contributions were documentation updates, but it's still pretty cool to get referenced in the official release announcement that goes out to the entire world.

I need to print all the lines in a text file after a certain time. You can do this pretty easily with a Perl one-liner:

perl -nE 'if (/13:00/) { $found = 1; next } print if $found' /var/log/messages

The delimiter needs to be in the file to trigger. If there was no line that matches 13:00 nothing will print.

Update: This can also be accomplished with awk:

awk '/13:00/ {found=1; next} found' /var/log/messages

I need a quick way to fetch JSON data from a URL. Using HTTP::Tiny is the easiest way. You can call the function different ways depending on whether you only want the body, or if you want the HTTP status code as well:

my $json = get_url("https://domain.com/stats.json");

my ($html, $http_code) = get_url("https://domain.com/index.html");

sub get_url {
    my $url = shift();

    my $http = HTTP::Tiny->new(verify_SSL => 1, timeout => 5);
    my $resp = $http->get($url);

    my $body   = $resp->{content};
    my $status = $resp->{status};

    my @ret = ($body, $status, $resp);

    return @ret;
}

Getting a random element from a PHP array is a multi-step process and I often forget the syntax. Here is a simple function that will return a random element from the provided array.

function random_elem(array $arr) {
    $key = array_rand($arr);
    $ret = $arr[$key];

    return $ret;
}

I am late to the game learning about the Mustache templating language. It is very mature, and has support for all of the languages I care about: Perl, PHP, and Javascript. I am mainly focused on using it in Javascript as it is a great way to format raw data you get via JSON into something more human consumable like HTML.

Mustache.js is incredibly easy to implement and get started with. A single include loads the entire zero-dependency library. As of v4.2.0 the library is tiny, clocking in at only 25k. A big selling point is the ease of installation and use. You can be up and running with Mustache.js in less than 5 minutes.

<script src="/js/mustache.min.js"></script>

var data = { name: "Jason", animal: "Kitten" };
var str  = Mustache.render("<p>Hello {{name}}, I hear you like {{animal}}s</p>", data);

I liked it so much I wrote up a Mustache sandbox to allow me to play around with the templating system live. The template syntax is a little archaic, but it is workable.

Note: They even have Arduino support, which I need to investigate.

I can never remember the correct MIME type for JSON so I wrote this wrapper function to simplify sending JSON to a browser.

// Convert a PHP data structure to JSON and send it to the browser
function json_output($obj) {
    $output = json_encode($obj, JSON_INVALID_UTF8_SUBSTITUTE);

    // http://tools.ietf.org/html/rfc4627
    header('Content-type: application/json');
    print $output;
    exit;
}

I need to rename a function anywhere it is found in my code base. This requires going through every file and directory recursively, and checking each file. Using the Linux find command we can find all the files and then hand the search and replace off to Perl. Easy peasy.

find codebase/ -type f -exec perl -pi -E 's/foo/bar/g' {} +

or using fd instead:

fd . codebase/ --type f --exec-batch -pi -E 's/foo/bar/g' {}

Modern Linux distributions are starting to require x86_64-v3 capable CPUs to run. If you do not have a CPU modern enough you may not be able to install certain versions of Linux. To test if your hardware is capable you can run the following command:

/usr/lib64/ld-linux-x86-64.so.2 --help

Basically any CPU made after 2015 will be fine.

I use sessions on my sites for user authentication. Calling session_start() initiates a session and allows me to check if the user is logged in or not. However, calling session_start() creates a new session for every hit on your site: bots, unauthenticated users, etc. This can lead to an excess of session files on your filesystem.

A better way is to explicitly call start_session() when your user logs in. On your other pages you can check if the user has the appropriate session cookie and start a session only when it's needed.

function start_session_if_exists() {
    if (isset($_COOKIE[session_name()]) && session_status() !== PHP_SESSION_ACTIVE) {
        session_start();
    }
}

This will avoid creating a session for every hit on your site.

You can apply the user-select CSS property to an element to control how it handles selecting text for copy and paste. This allows you to limit selecting text, or make it automatic. If you use the all property, anytime a user clicks on that element the text is automatically selected. This can be useful for keys or codes where the user is expected to copy and paste the text.

.click_select { user-select: all; }

Example:

Click me!

I need to find all the text files in a given directory for potential clean up. There is not a super easy way to find only text files, but I came up with a hacky solution:

# Using `fd` (new hotness)
fd . /tmp/ --exec file {} + | grep -P ":.*text" | cut -d: -f1

# Using old school `find` (old and busted)
find /tmp/ -exec file {} + | grep -P ":.*text" | cut -d: -f1

These rely on the file command to determine what the filetype is.

I needed a modern way to copy a string to the clipboard in JavaScript. Claude.ai helped me come up with this:

// With async/await
async function copyToClipboard(text) {
    try {
        await navigator.clipboard.writeText(text);
        console.log('Copied to clipboard');
    } catch (err) {
        console.error('Failed to copy: ', err);
    }
}

Then you simply call it with a string

copyToClipboard("Hello world");

RedHat Enterprise Linux/Rocky 10 has these versions of packages: