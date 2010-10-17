Stories
Phoenix666 writes:

Schneier on Security:

NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:

-Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.

-Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.

-Let people use password managers. This is how we deal with all the passwords we need.

These password rules were failed attempts to fix the user. Better we fix the security systems.

Does this mean we can stop composing our passwords like Q*bert?

  • (Score: 1, Funny) by Anonymous Coward on Tuesday October 10, @09:47PM (2 children)

    by Anonymous Coward on Tuesday October 10, @09:47PM (#580087)

    Do these new rules mean I can change my password back to "hunter2"?

  • (Score: 2) by bzipitidoo on Tuesday October 10, @09:57PM

    by bzipitidoo (4388) Subscriber Badge on Tuesday October 10, @09:57PM (#580099) Journal

    What really annoys me are the "security questions" that are passwords in all but name. I've been locked out of accounts despite knowing the password, because I couldn't answer the security questions within 3 tries (did I capitalize the first letter of my answer? etc.), and they have this stupid 3 strikes policy. Facebook will allow only 3 guesses per hour. Others lock up permanently after 3 failed guesses, and you have to call customer service to get it unlocked.

    It's effectively 7 passwords to remember when a site demands no less than 6 security questions. Worse, with that many questions and a 3 strikes policy, you'd better make sure you have the answers paired up with the correct questions, so have to record the questions too.

