The era of incredibly hard passwords to remember may be coming to an end.
The National Institute of Standards and Technology, NIST, recently released Special Publication 800-63b. This government document titled “Digital Identity Guidelines, Authentication and Lifecycle Management” represents some pretty significant changes to creating difficult to crack passwords/passphrases.
Bottom line, complex passwords that require upper/lower case letters, numbers and symbols have become burdensome and is impeding the user’s ability to perform work. Studies have found that long passphrases are very difficult to crack and easier for the user to remember.
While this document is only 78 pages long, the key take-away for many of our clients is that you can:
- Eliminate the requirement to periodically change passwords. Passwords still must be changed if there is a chance that the account was compromised.
- Eliminate the complexity requirement (must have a mix of upper/lower case letters, numbers, and symbols). Passwords should be long. They did not state how long, but 20 plus characters would be my recommendation. Examples might be – TheOSUBuckeyesarethebest, Quanexusforallyouritneeds, etc. To test a password strength, use this web site. https://howsecureismypassword.net/ I would not use an actual password on this site, but it will give you a good feel for what a good password might be.
The document also calls for the implementation of a system/algorithm to determine if the password a user chooses is a weak password or a password that is easily determined/found in a hash table.
If you want to stay up to date and be the first to receive our tech news, threat alerts and newsletters, be sure to sign up for our email list. If you would like more information contact us here or call 937.885.7272.
