NISTS New 2017 Password Rules
May 2, 2017
This is actually really awesome, passwords don’t have to suck
Favor the user
Make your password policies user friendly and put the burden on the verifier when possible. In other words, we need to stop asking users to do things that aren’t actually improving security.
Much research has gone into the efficacy of many of our so-called “best practices” and it turns out they don’t help enough to be worth the pain they cause.
You should allow a maximum length of at least 64, so no more “Sorry, your password can’t be longer than 16 characters.” We often advise people to use passphrases, so they should be allowed to use all common punctuation characters and any language to improve usability and increase variety.
No composition rules
What this means is, no more rules that force you to use particular characters or combinations, like those daunting conditions on some password reset pages that say, “Your password must contain one lowercase letter, one uppercase letter, one number, four symbols but not &%#@_, and the surname of at least one astronaut.”
Let people choose freely, and encourage longer phrases instead of hard-to-remember passwords or illusory complexity such as pA55w+rd.
No password hints
None. If I wanted people have a better chance at guessing my password, I’d write it on a note attached to my screen.
Knowledge-based authentication (KBA) is out
KBA is when a site says, “Pick from a list of questions – Where did you attend high school? What’s your favourite football team? – and tell us the answer in case we ever need to check that it’s you.”
No more expiration without reason.
This is my favourite piece of advice: If we want users to comply and choose long, hard-to-guess passwords, we shouldn’t make them change those passwords unnecessarily. The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack.