As a consultant I’m frequently confronted with strange password policies. Every company I visit has different password rules with different expiration windows and so on. Although a password manager helps me to keep my sanity, I have a hard time understanding some of the multipage password rules that customers are using.
But ok, if it makes our systems more secure, it’s a burden I’m willing to carry. Unfortunately there is enough research available that shows that most of these rules make no sense and doesn’t help to improve security at all…
So reading the following post(https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/) about NIST(the United States National Institute for Standards and Technology) and the new guidelines for password policies they published made me happy.
An extract of some of the rules:
- A minimum of 8 characters.
- Allow at least a maximum of 64 characters(I hate it when I cannot use passphrases)
- No composition rules (again, I hate it when I cannot use passphrases)
- No password hints
- No knowledge-based authentication(questions that only you should know the answer, like your favorite color )
- No more password expiration without reason
Thank you NIST!