NIST Recommends New Password Rules

NISTThe National Institute for Standards and Technology is working on new password guidelines which will be mandated for government sector users, and strongly recommended for businesses as well.  Still in draft from, the standards can be found on the document Special Publication 800-63-3: Digital Authentication Guidelines.   Here are some of the recommended changes, so far.  We approve, and in many cases have been recommending some of these for years..

  • Passwords should be user friendly.  Place the authentication burden on the verifying site or network, not the user.
  • Remove complexity requirements.  They don’t work nearly as well as was expected, since most people capitalize the first letter, use the number 1 for the numeral, and the exclamation point for the symbol way too frequently.
  • Passwords should be longer – a minimum of 8 characters with a high side limit of 64.
  • Allow more characters.  Passwords can use any ASCII or Unicode character including spaces and emojis. (!)
  • Passwords never expire.  That’s right, just as recommended by Bruce Schneier and discussed in an earlier post of ours.  You get to keep your password, and it is only reset if your forget it, if you gave it away in a phishing exploit, or if there has been a known password database breach.
  • Disallow bad passwords.  Check new passwords against a 100,000 entry dictionary of known bad password choices.  This means no more lame passwords such as OpenSesame or ThisIsAPassword.
  • Eliminate password hints.  Often the hints provide too much of a clue for attackers.  Like “rhymes with mass bird.”
  • No more secret questions.  The answers to many secret questions can be discovered with a little sleuthing  on Facebook or in public records.  Name of your high school, mother’s maiden name, grandfather’s middle name – just too easy to find.

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.