NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:
-Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.
-Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.
-Let people use password managers. This is how we deal with all the passwords we need.
These password rules were failed attempts to fix the user. Better we fix the security systems.
Does this mean we can stop composing our passwords like Q*bert?
(Score: 2) by arslan on Wednesday October 11 2017, @05:40AM (2 children)
Can't seem to find mention of the password suggestion in the summary.. not in the main document linked nor one of the supplementary document... didn't read all the related docs though.
Can anyone (submitter?) maybe post which document actually had those points or is it just an opinion piece by submitter?
(Score: 2) by Phoenix666 on Wednesday October 11 2017, @01:24PM (1 child)
That's the whole article from Schneier on Security (linked at the top of the submission). It was short but the links in it are all there in the submission. The NIST PDF is linked, too.
Washington DC delenda est.
(Score: 2) by arslan on Wednesday October 11 2017, @09:48PM
Yes I saw, that but I can't find any material in the NIST PDF linked about the suggestions on password. Is it just me or does it read like those 3 suggestion on password was from the NIST document? I trawled through the NIST document and another linked supplementary document but couldn't seem to find it.
I'm not debating whether the suggestion are good or bad, but just trying to verify if it was indeed the NIST that published those suggestion or Schneier's own addition. This sentence make it seem like it was from NIST but I don't see it anywhere: