Nist Password Guidelines

As most of you probably know, NIST recently updated their password guidelines. The three big changes are:

  1. Use long easy to remember passwords. Don’t worry so much about mixing in numbers and special characters.
  2. Don’t expire your users’ passwords—it only encourages bad password practices.
  3. For all but low-risk applications, use two-factor authentication.

The IEEE Spectrum has a Q&A with Paul Grassi, the author of the new guidelines. It’s a quick and easy read and will give you some valuable guidance as to dealing with your own passwords. He doesn’t mention password managers, which I still believe the be the best solution for generating high-entropy passwords and managing them safely.

If you want more information, take a look at the actual guidelines. They’re long and detailed and written in bureaucratese but cover all the material.

This entry was posted in General and tagged . Bookmark the permalink.