Do you feel like you’re forced to live in the past, relying on C0mp1ex P@ssw0rd structures and changing them every 90 days? 😫
Good news! NIST has spoken, and their new password requirements might just help us all to see the light.
NIST’s Top 3 Requirements?
1 – Length Matters
Short passwords are much easier for the bad guys to guess.
Forget the 8-character minimum.
Longer is better!
2 – Complexity Doesn’t
Random numbers, symbols, and uppercase letters just means you’re more likely to set a short password (awful idea), or reuse the same password across multiple sites (awfuller idea).
That’s why NIST now tells us to use simple, long, and memorable phrases.
Don’t think ‘passwords’. Think ‘passphrases’.
3 – Thou Shalt Not Change Unless Needed
Stop forcing yourself to reset your password every X days.
As long as you use a long (see 1 above) and strong (see 2 above) password passphrase, you don’t need to change it unless you think someone has figured out what it is.
Bottom Line:
Now that NIST has changed these recommendations into requirements..
Security should become a little bit more realistic for normal people.
PS If you encounter anyone who still think c0mp1ex passwords are a good th1ng, tell them to read NIST’s requirements at https://pages.nist.gov/800-63-4/sp800-63b/authenticators/#password, and specifically this point:
“You SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.”
(3.1.1.2 Point 5)
PPS Thanks to Angel Rojas for sharing this on LinkedIn