After decades of making passwords harder and harder manage, while the whole time every security professional and data scientist could show you how it did not make account credentials more secure, NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines that made it official.
This is a brave release and the first step for private industry to now take the lead at the product innovation, customer experience, and classic computing system usage around authentication and authorization. They make three important suggestions when it comes to passwords:
- Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don’t help that much. It’s better to allow people to use pass phrases.
- Stop it with password expiration. That was an old idea for an old way we used computers. Today, don’t make people change their passwords unless there’s indication of compromise.
- Let people use password managers. This is how we deal with all the passwords we need.
Bruce Schneier highlighted these 3 bullets and has an excellent discussion occurring in the comments. I recommend developers, security professionals, and businesses review these guidances from NIST and make the right choices! Source: Changes in Password Best Practices – Schneier on Security