Technology

The US government wants to cut out some of its weirdest password rules

September 26, 2024

The National Institute of Standards and Technology (NIST) has decided it is time to bin some of the oldest, frustrating, and strange password requirements for the US government.

Among the requirements NIST is looking to do away with are mandatory resets, security questions and the use of certain characters when crafting a secure password.

Good cybersecurity hygiene demands the use of unique and complex passwords to ensure the highest level of security, but if you aren’t using one of the best password managers they can be a pain to remember.

See ya later, @ll1g4t0r

Included in the incomprehensibly huge SP 800-63-4 document released by NIST that lays the compliance groundwork for organizations that interact with the federal government, the agency has removed the need for organizations to enforce a periodic password change policy. Changing passwords regularly was originally brought in as a rule to combat password leaks in the thinking that if a password is leaked and then changed, the old credentials will no longer work if used by an attacker.

The downside of course was that people began using easily memorized passwords of a single word, and then just changing the special characters or increasing the numbers on the end by one (We’ve all done it). Password generators have rendered this practice almost obsolete, as the desired length, special characters, and complexity can be determined by the user to comply with any organizational demands.

The requirement of special characters has also been removed by NIST, and password will no longer need to include some kind of combination of lowercase and uppercase characters, along with special characters. Obviously, NIST has included a clause that states if there is any evidence a credential could have been compromised, then organizations should force a password change.

Additionally, knowledge-based authentication such as memorable places and security questions are to be banned from use. No longer will those interacting with the federal government be forced to remember the name of their first pet or a sibling’s middle name in order to reset a password. The SP 800-63-4 Digital Identity Guidelines document is only in its second draft, and is therefore subject to change, but it is a signal that password practices could be about to change for the better.

Via ArsTechnica

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar