NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:
-Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.
-Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.
-Let people use password managers. This is how we deal with all the passwords we need.
These password rules were failed attempts to fix the user. Better we fix the security systems.
Does this mean we can stop composing our passwords like Q*bert?
(Score: 2) by Aiwendil on Wednesday October 11 2017, @01:15PM
And that really annoys me, I havn't signed up with my real name for anything in more than a decade (only about 60% of my friends know my real name, almost all knows this username however). Also how does it deal with name changes?
Why on earth would I sign up on a social networking site with a name very few people call me? (Not even my coworkers call me by my name, they instead uses one of the three irl-nicknames I have. I know some of them don't know my name) And it can be years between the times when I hear someone call me by my real name.