Wednesday, November 30, 2016

NIST is bringing some common sense to password policies

As a consultant I’m frequently confronted with strange password policies. Every company I visit has different password rules with different expiration windows and so on. Although a password manager helps me to keep my sanity, I have a hard time understanding some of the multipage password rules that customers are using.

But ok, if it makes our systems more secure, it’s a burden I’m willing to carry. Unfortunately there is enough research available that shows that most of these rules make no sense and doesn’t help to improve security at all…

So reading the following post(https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/) about NIST(the United States National Institute for Standards and Technology) and the new guidelines for password policies they published made me happy.

An extract of some of the rules:

  • A minimum of 8 characters.
  • Allow at least a maximum of 64 characters(I hate it when I cannot use passphrases)
  • No composition rules (again, I hate it when I cannot use passphrases)
  • No password hints
  • No knowledge-based authentication(questions that only you should know the answer, like your favorite color Confused smile)
  • No more password expiration without reason

Thank you NIST!

2 comments:

Bangalore Web Guru said...

Very nice article. Thanks for sharing. Keep updating Website Design Company Bangalore | Web Designing Company Bangalore

Blogger said...

Bluehost is ultimately the best hosting company for any hosting plans you might require.