The National Institute of Standards and Technology (NIST) has decided it’s time to put an end to some of the U.S. government’s oldest, most frustrating, and most strange password requirements.
Some of the requirements NIST wants to eliminate include mandatory resets, security questions, and the use of certain characters when creating a secure password.
Good cybersecurity hygiene requires the use of unique and complex passwords to ensure the highest level of security. However, if you are not using one of the best password managers, remembering them can be a struggle.
Bye, @ll1g4t0r
Included in the incomprehensibly large SP-800-63-4 In a document released by NIST that lays the groundwork for compliance for organizations working with the federal government, the agency has removed the need for organizations to enforce a periodic password change policy. Periodic password changes were originally put in place as a rule to prevent password leaks, with the idea that if a password is leaked and then changed, the old credentials will no longer work if used by an attacker.
The downside, of course, was that people started using easy-to-remember, one-word passwords, and then just changed the special characters or increased the numbers at the end by one (We’ve all done it). Password generators have made this practice almost obsolete, as the desired length, special characters, and complexity can be determined by the user to meet any organizational needs.
The special character requirement has also been removed by NIST, and passwords are no longer required to contain a mix of upper and lower case letters, along with special characters. Of course, NIST has included a clause stating that if there is any evidence that a credential may have been compromised, organizations must enforce a password change.
Additionally, knowledge-based authentication, such as memorable locations and security questions, is banned. People who interact with the federal government will no longer have to remember the name of their first pet or the middle name of a sibling to reset a password. The SP 800-63-4 Digital Identity Guidelines document is still in its second draft and is therefore subject to change, but it is a signal that password practices are about to change for the better.
Via ArsTechnica