• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

Standards group recommends removing periodic password change requirements

Recommended Posts

+warwagon    13,035

Vendors approve of NIST password draft

Standards group recommends removing periodic password change requirements

 

Quote

 

A recently released draft of the National Institute of Standards and Technology’s (NIST's) digital identity guidelines has met with approval by vendors. The draft guidelines revise password security recommendations and altering many of the standards and best practices security professionals use when forming policies for their companies.

The new framework recommends, among other things:

 

Remove periodic password change requirements

 

There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security, said Mike Wilson, founder of PasswordPing. NIST said this guideline was suggested because passwords should be changed when a user wants to change it or if there is indication of breach.

 

Drop the algorithmic complexity song and dance

 

No more arbitrary password complexity requirements needing mixtures of upper case letters, symbols and numbers. Like frequent password changes, it’s been shown repeatedly that these types of restrictions often result in worse passwords, Wilson adds. NIST said If a user wants a password that is just emojis they should be allowed.  It’s important to note the storage requirements. Salting, hashing, MAC such that if a password file is obtained by an adversary an offline attack is very difficult to complete.

 

Require screening of new passwords against lists of commonly used or compromised passwords

 

One of the best ways to ratchet up the strength of users’ passwords is to screen them against lists of dictionary passwords and known compromised passwords, he said. NIST adds that dictionary words, user names, repetitive or sequential patterns all should be rejected.

 

"All three of these recommendations are things we have been advising for some time now and there are now password strength meters that screen for compromised credentials, not just commonly used passwords,” Wilson said.  "While it wasn’t explicitly mentioned in the new NIST framework, we contend that another important security practice is periodically checking your user credentials against a list of known compromised credentials."

 

http://www.csoonline.com/article/3195181/data-protection/vendors-approve-of-nist-password-draft.html

 

Finally!

  • Like 1

Share this post


Link to post
Share on other sites
+jnelsoninjax    11,855

Require screening of new passwords against lists of commonly used or compromised passwords

So I shouldn't use Pa$$w0rd? :D Or how about God?

Share this post


Link to post
Share on other sites
+warwagon    13,035
28 minutes ago, jnelsoninjax said:

Require screening of new passwords against lists of commonly used or compromised passwords

So I shouldn't use Pa$$w0rd? :D Or how about God?

or "Internet" or "Football"

Share this post


Link to post
Share on other sites
+jnelsoninjax    11,855
12 minutes ago, warwagon said:

or "Internet" or "Football"

Damnit, now I have to change all my passwords. :D

Share this post


Link to post
Share on other sites
Sszecret    2,474
17 minutes ago, warwagon said:

or "Internet" or "Football"

Which is why I use "Internet Football". I mean *ehem*...I would never do that *ehem*.

Share this post


Link to post
Share on other sites
+jnelsoninjax    11,855
13 minutes ago, Sszecret said:

Which is why I use "Internet Football". I mean *ehem*...I would never do that *ehem*.

...trying now... hey! He lied! Trying Football Internet... ahh I got it now! :laugh:

  • Like 1

Share this post


Link to post
Share on other sites
FloatingFatMan    18,418

I've been telling our IT folks this for years.  All they do when they make the password requirements too complex or too frequent is cause people to write the bloody things down, and that's even worse!

 

Besides, most folks just tend to increment the number they put in it by one every time they have to change it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.