by Dan Moren
New NIST recommendations take aim at bad password policies
Ars Technica’s Dan Goodin reporting on the latest guidelines from the National Institute of Standards and Technology about good passwords:
A section devoted to passwords injects a large helping of badly needed common sense practices that challenge common policies. An example: The new rules bar the requirement that end users periodically change their passwords. This requirement came into being decades ago when password security was poorly understood, and it was common for people to choose common names, dictionary words, and other secrets that were easily guessed.
Thank god. Back when I worked at a large institution that required password changes, the game was trying to figure out how similar you could keep your new password without it rejecting it. It was a bad game.
Other proposed changes: no restriction on which special characters can be used, a minimum required length of 8 with a minimum suggest length of 15, and hints that are not accessible to unauthenticated users.
I maintain hope that passkeys will continue their march to make passwords obsolete, though adoption feels mixed so far: several big providers sites have started using them, though the exact manner of implementation varies widely from company to company, and even within sites and services from the same company.
These updates are in public comment phase for the next couple weeks, but will hopefully be put into place before too long. While they aren’t binding, there are a number of places (including government agencies) that do tend to adhere to them as best practices.