Nist Password Guidelines

As most of you probably know, NIST recently updated their password guidelines. The three big changes are:

  1. Use long easy to remember passwords. Don’t worry so much about mixing in numbers and special characters.
  2. Don’t expire your users’ passwords—it only encourages bad password practices.
  3. For all but low-risk applications, use two-factor authentication.

The IEEE Spectrum has a Q&A with Paul Grassi, the author of the new guidelines. It’s a quick and easy read and will give you some valuable guidance as to dealing with your own passwords. He doesn’t mention password managers, which I still believe the be the best solution for generating high-entropy passwords and managing them safely.

If you want more information, take a look at the actual guidelines. They’re long and detailed and written in bureaucratese but cover all the material.

This entry was posted in General and tagged . Bookmark the permalink.
  • NoonianAtall

    Maybe in 5-10 years all the "downstream" organizations (i.e. companies, universities, etc.) will actually stop forcing password expiration. But I guess that won't happen until insurance companies change their minds about it. The Pied Piper effect is so strong. :|

    • jcs

      Sadly, I suspect you're right.

      • Nicolò Balzarotti

        Hi, I quick-looked through the documents ("actual guidelines") but could not find the expiration thing (which I found in the interview), could you please tell me where it is? I'm going to ask my company to stop expiring my password. I end up using "password hasher" so my password still remain as secure as the original, but I've always been against this practice as it's quite nonsense.

        Thanks, Nicolò

        • NoonianAtall

          Look again, I found it without too much difficulty. :)

          • Nicolò Balzarotti

            Authentication and Lifecycle Management, page 14 if anybody has trouble like me XD