As most of you probably know, NIST recently updated their password guidelines. The three big changes are:
- Use long easy to remember passwords. Don’t worry so much about mixing in numbers and special characters.
- Don’t expire your users’ passwords—it only encourages bad password practices.
- For all but low-risk applications, use two-factor authentication.
The IEEE Spectrum has a Q&A with Paul Grassi, the author of the new guidelines. It’s a quick and easy read and will give you some valuable guidance as to dealing with your own passwords. He doesn’t mention password managers, which I still believe the be the best solution for generating high-entropy passwords and managing them safely.
If you want more information, take a look at the actual guidelines. They’re long and detailed and written in bureaucratese but cover all the material.