Updated NIST Guidelines on Password Policies
Recently, we found a very worthwhile article explaining the NIST Guidelines regarding passwords. Here are a few excerpts from the article that we found especially useful. The link to the full article is below.
Let’s start with what’s new and what you should do in the world of the NIST password guidelines:
“Size matters. At least is does when it comes to passwords. NIST’s new guidelines say you need a minimum of 8 characters.
The author goes on to say that a user should “allow a maximum length of at least 64.” It’s okay, we thought, “Uh, what?” too. But the reason behind this advice is to make it so that there are no “unnecessary restrictions on length” thereby creating much more options for password combinations.
Now, lets go on to what you shouldn’t do when it comes to your passwords.
“No password hints. NONE. If I wanted people to have a better chance at guessing my password, I’d write it on a note attached to my screen.”
We like this advice. For the simple fact that it’s extremely true. As the author points out, if you let people choose their passwords freely and encourage longer phrases, this can make it easier for them to remember a password they created. He uses a great example of a terrible password disguised as a good one — “pA55w+rd”…..a quick way for your “pA55w+rd” to get compromised.
“No more expiration without reason. This is my favorite piece of advice: If we want users to comply and choose long, hard-to-guess passwords, we shouldn’t make them change those passwords unnecessarily.”
It’s okay — go ahead and raise your hands in the air and say “Woo Hoo!” Nothing is more frustrating than creating a solid password, remembering it (which is the hardest part for me, honestly), and then having to change it a month later. Now you don’t have to. As the author stated,
“NIST’s goal is to get us to protect ourselves reliably without unneeded complexity, because complexity works against security.”