Admins, it’s time to change those ancient password policies. For years we’ve been told to carefully craft our passwords… add upper case letters… oh, and numbers… oh, and special characters… Oh, and in 30 days you’ll have to choose a new one. Quite annoying!
No more!
Enter “NIST Special Publication (SP) 800-63-3 Digital Identity Guidelines”. NIST is the National Institute of Standards and Technology, a US government agency (Commerce Department).
Bill Burr was the NIST employee behind the password policies that have been in effect for the last 15 years. According to an August 2017 Wall Street Journal article, he said he made a “mistake” with the password policy. He acknowledged that the 15 year old password policy was just as annoying and ineffective for security personnel as it was for end users. He acknowledged that these passwords were frequently hard to remember and easy to hack.
Because of that, NIST took action and drafted a new policy to become the standard. That standard took effect two years ago. It does away with special combinations of types of characters, password expiration dates, etc.
The new NIST password standard simple. Use longer passwords (suggest making a nonsense phrase, or combine words or parts of words). Don’t use/allow passwords that have been mined from prior breaches.
SP 800-63-3 deals in general with Identity. When implementing company policy, always refer directly to the standard, specifically the NIST SP 800-63B
A good security blogger would not pass up the opportunity to suggest considering 2FA when implementing an authentication mechanism!
If you’re fed up with the whole password thing in general, consider implementing SQRL.
Keywords: password, authentication, NIST, new guidelines, authentication secret, SQRL, 2fa, two factor authentication,