The United States National Institute for Standards and Technology (NIST) 800-63(b) publication was updated to reveal a very important change. One of the more fascinating examples is not relying on complex passwords.
This has been an interesting read. I highly recommend you review the revision of their Digital Identity guidelines. The special Publication is on their page: NIST 800-63(b) (updated link).
In addition to not relying on complex passwords, their findings show that long passwords are better than crazy complexity requirements, including forced password changes every 90 days.
A few other interesting changes include:
- No weird password creation rules
- Checking passwords against a database of known bad passwords
- No more password hints
This makes sense. Creating many unnecessary security requirements for general use encouraged bad password creation and management habits. Security teams everywhere could probably guess most of their users’ passwords or, better yet, find where they are written down. Those complexity requirements were mostly met at a minimum anyway.
Security researcher Jim Fenton has a great summary of these changes on his SlideShare account.
This is definitely a welcome proposal. I, for one, hated enforcing those old rules. Unfortunately, I suspect not everyone will be on board. Yes, I’m talking about old managers, but I’m also referring to external auditors. Password complexity and change requirements are part of the external auditor’s recommendations. So please check with any regulatory experts before you roll out a new policy.
Don’t be surprised if you get a “no” with no ETA. These things usually go before a board before the policy is updated. So expect a little discussion, risk analysis, and testing before anything changes.
Update: How do you check a password against a known database of bad passwords?
The Have I Been Pwned: Pwned Passwords site is available to help. This site was created by a well-known security researcher. Not only can you see if someone from your domain has been compromised in a recent data dump, but you can also check your password against a hefty database. You can potentially use his collected data to build an internal password checker if a developer on your team has spare time (yeah, right 🙂 ).