We have covered this issue before, but it bears repeating. The new NIST Digital Identity Guidelines are out, and they have thrown out some old password chestnuts because they did not work, or did not work as intended.
Below are the significant changes to password policy.
- An end to password complexity rules. Following this policy, users tended to create shorter passwords that used obvious character substitution patterns. Complexity also adds nothing to protect against automated brute-force password cracking.
- An end to password expiration. Again, the result is shorter, easier password creation so users can remember the passwords. Also, predictable patterns using combinations of month, year, and symbol make passwords more guessable. Only change passwords on evidence of a breach, otherwise use them as long as you like.
- Begin using two-factor authentication. 2FA means that even if your password is compromised, an attacker would also need the second factor to compromise the account or protected asset. Begin using two-factor wherever it is offered.
- Begin using a password manager. Password managers allow users to create long and random passwords using password manager tools. The manager fills in the user ID and password automatically, making it easy to store a huge trove of several hundred authentication information in a secure and easy to use system. Secure notes allow you to store the answers to secret questions for password reset too.