Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Password Best Practices: The Changes from NIST

October 12, 2017

I love the pithy Bruce Schneier. As he notes in a recent post, the old password rules were "failed attempts to fix the user. Better we fix the security systems."

And that is what the National Institute of Standards and Technology (NIST) attempted to do in its Digital Identity Guidelines, published in June of 2017.

Three major pieces of advice from NIST:

  1. Requiring complex passwords is annoying – and it makes passwords harder to remember. It increases errors because artificially complex passwords are harder to type in and they don't help that much. It's better to allow people to use passphrases. As we've been lecturing for years!
  2. Password expiration every 30 or 60 or 90 days makes no sense. It just made everything harder to remember and caused security fatigue. The new thinking is that passwords should be checked against a database of known compromised passwords – no reason to change them if there is no indication of compromise.
  3. Use password managers – that's the perfect way to keep people from reusing passwords and risking compromise in multiple places.

Amen brother. It's been a long time coming, but I am glad these recommended changes are finally here.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson