The National Institute for Standards and Technology is working on new password guidelines which will be mandated for government sector users, and strongly recommended for businesses as well. Still in draft from, the standards can be found on the document Special Publication 800-63-3: Digital Authentication Guidelines. Here are some of the recommended changes, so far. We approve, and in many cases have been recommending some of these for years..
- Passwords should be user friendly. Place the authentication burden on the verifying site or network, not the user.
- Remove complexity requirements. They don’t work nearly as well as was expected, since most people capitalize the first letter, use the number 1 for the numeral, and the exclamation point for the symbol way too frequently.
- Passwords should be longer – a minimum of 8 characters with a high side limit of 64.
- Allow more characters. Passwords can use any ASCII or Unicode character including spaces and emojis. (!)
- Passwords never expire. That’s right, just as recommended by Bruce Schneier and discussed in an earlier post of ours. You get to keep your password, and it is only reset if your forget it, if you gave it away in a phishing exploit, or if there has been a known password database breach.
- Disallow bad passwords. Check new passwords against a 100,000 entry dictionary of known bad password choices. This means no more lame passwords such as OpenSesame or ThisIsAPassword.
- Eliminate password hints. Often the hints provide too much of a clue for attackers. Like “rhymes with mass bird.”
- No more secret questions. The answers to many secret questions can be discovered with a little sleuthing on Facebook or in public records. Name of your high school, mother’s maiden name, grandfather’s middle name – just too easy to find.