From 15fec0a3e38ea7623e89639ff392866ddaf43140 Mon Sep 17 00:00:00 2001
From: Allan Simon <allan.simon@supinfo.com>
Date: Tue, 10 Sep 2019 20:58:45 +0200
Subject: [PATCH] update readme to not be plain and simple shaming

so that we can also educate people on how to not be on that list
---
 README.rst | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/README.rst b/README.rst
index d7b1dffc..edaf106b 100644
--- a/README.rst
+++ b/README.rst
@@ -15,6 +15,21 @@ See other sites for the formatting and follow these rules:
 -  Include at least one screenshot.
 -  Keep the sites in alphabetical order.
 
+Ok, I'm on that list, what should I do ?
+----------------------------------------
+
+We recommend you that in the future you refer to the OWASP (Open Web Application Security Project)
+before implementing or specifying web applications.
+
+For example the current set of recommendation, and the rationals on "why" for password rules are here:
+https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Authentication_Cheat_Sheet.md
+
+As of 2019, the rules are basically:
+
+   * at least 8 characters long
+   * never expires
+   * better to check against a list of leaked/common passwords like https://haveibeenpwned.com/API/v3#PwnedPasswords
+
 Sites
 -----
 -----------------