Changes in Password Best Practices
NIST recently published its four-volume SP800-63b Digital Identity Guidelines. Among other things, it makes three important suggestions when it comes to passwords:
- Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don’t help that much. It’s better to allow people to use pass phrases.
- Stop it with password expiration. That was an old idea for an old way we used computers. Today, don’t make people change their passwords unless there’s indication of compromise.
- Let people use password managers. This is how we deal with all the passwords we need.
These password rules were failed attempts to fix the user. Better we fix the security systems.
Brian • October 10, 2017 6:51 AM
I agree basically, but doesn’t 3) kinda make 1) and 2) obsolete? If I use a pw manager and don’t have to remember them, don’t complex rules or auto generated passwords with high complexity actually do make them more secure?
1) is in place because people cannot remember complex passwords and reuse the same over multiple accounts.
So … if you use a pw manager, do use complex passwords.