Stories
Slash Boxes
Comments

SoylentNews is people

Latest NIST Guidelines on Password Policies

posted by martyb on Friday August 19 2016, @07:32PM   Printer-friendly
from the keeping-things-to-yourself dept.

Bill Dimm writes:

The latest NIST (United States National Institute for Standards and Technology) guidelines on password policies recommend a minimum of 8 characters. Perhaps more interesting is what they recommend against. They recommend against allowing password hints, requiring the password to contain certain characters (like numeric digits or upper-case characters), using knowledge-based authentication (e.g., what is your mother's maiden name?), using SMS (Short Message Service) for two-factor authentication, or expiring passwords after some amount of time. They also provide recommendations on how password data should be stored.

[Ed. Note: Contrary to common practice, I would advocate reading the entire linked article so we can have an informed discussion on the many recommendations in the proposal. What has been your experience with password policies? Do the recommendations rectify problems you have seen? Is it reasonable to expect average users to follow the recommendations? What have they left out?]

Original Submission

 
This discussion has been archived. No new comments can be posted.
Latest NIST Guidelines on Password Policies | Log In/Create an Account | Top | 58 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Touché) by MichaelDavidCrawford on Friday August 19 2016, @09:55PM

    by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Friday August 19 2016, @09:55PM (#390314) Homepage Journal

    If I need to join a site that requires a strong password, I enter some random gibberish that I'll never ever remember, then request a password reset every last time I log in.

    That cannot possibly be secure.

    --
    Yes I Have No Bananas. [gofundme.com]
    Starting Score:    1  point
    Moderation   +3  
       Interesting=1, Funny=1, Touché=1, Total=3
    Extra 'Touché' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   5  

  • (Score: 3, Funny) by Scruffy Beard 2 on Saturday August 20 2016, @05:44AM

    by Scruffy Beard 2 (6030) on Saturday August 20 2016, @05:44AM (#390484)

    Been there, done that.

    Often, the reset password is not truly random. So if you reset your password, but don't change it, you may suddenly be using a common password.

  • (Score: 2) by vux984 on Tuesday August 23 2016, @10:30PM

    by vux984 (5045) on Tuesday August 23 2016, @10:30PM (#392349)

    I deal with a client site like that. Most irritating part is that its a site I only need to use once every 3-4 months, but they make users reset their passwords every 30 days, and they auto deactivate the account after 60 days requiring me to jump through some more hoops to reactivate.

    So I have to phone them, have them reactivate the account, and then reset the password, pretty much every time I need to log in.