NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:
-Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.
-Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.
-Let people use password managers. This is how we deal with all the passwords we need.
These password rules were failed attempts to fix the user. Better we fix the security systems.
Does this mean we can stop composing our passwords like Q*bert?
(Score: 0) by Anonymous Coward on Wednesday October 11 2017, @10:24AM
I generate random passwords with a little CLI app I wrote, and then memorize them. It is easier than it sounds. I have to keep them temporarily written down for some time (couple of days, a week) until they sink in, but after a little while, my memory is refreshed daily by recalling the passwords. Generally I reuse my passwords for all resources and services of same organization, but keep separate passwords for separate organizations. I also have a single default burner password for online resources that IMO shouldn't need access control at all but they are forcing registration upon me.
Obviously, the problem with my scheme is that I forget passwords which I don't use frequently. Sometimes I have a problem to recall them after e.g. a vacation.