The National Institute of Standards and Technology (NIST) has decided it is time to bin some of the oldest, frustrating, and strange password requirements for the US government.
Among the requirements NIST is looking to do away with are mandatory resets, security questions and the use of certain characters when crafting a secure password.
Good cybersecurity hygiene demands the use of unique and complex passwords to ensure the highest level of security, but if you aren’t using one of the best password managers they can be a pain to remember.
See ya later, @ll1g4t0r
Included in the incomprehensibly huge SP 800-63-4 document released by NIST that lays the compliance groundwork for organizations that interact with the federal government, the agency has removed the need for organizations to enforce a periodic password change policy. Changing passwords regularly was originally brought in as a rule to combat password leaks in the thinking that if a password is leaked and then changed, the old credentials will no longer work if used by an attacker.
The downside of course was that people began using easily memorized passwords of a single word, and then just changing the special characters or increasing the numbers on the end by one (We’ve all done it). Password generators have rendered this practice almost obsolete, as the desired length, special characters, and complexity can be determined by the user to comply with any organizational demands.
The requirement of special characters has also been removed by NIST, and password will no longer need to include some kind of combination of lowercase and uppercase characters, along with special characters. Obviously, NIST has included a clause that states if there is any evidence a credential could have been compromised, then organizations should force a password change.
Additionally, knowledge-based authentication such as memorable places and security questions are to be banned from use. No longer will those interacting with the federal government be forced to remember the name of their first pet or a sibling’s middle name in order to reset a password. The SP 800-63-4 Digital Identity Guidelines document is only in its second draft, and is therefore subject to change, but it is a signal that password practices could be about to change for the better.
Via ArsTechnica