Password Security: Out with the old rules, in with the new
As most of us (hopefully) already know, the internet can be a dangerous place when you don't practice proper password safety procedures. Just what do you need to do to keep your passwords secure, though? As it turns out, one of the writers of a document that has been used to create password policy for years says the suggestions he laid down are no longer valid.
The document in question is "NIST Special Publication 800-63. Appendix A." Originally published back in 2003, this document laid down guidelines for creating secure passwords and implementing password policy at corporations. These guidelines were crafted by Bill Burr, who once served as the manager of the National Institute of Standards and Technology, the organization that released the document.
In the paper, Burr recommended that in creating passwords, people should use tricks like random capitalization and special characters. The paper also recommends corporate policy forcing users to reset their passwords every 90 days. In the time since publication, it's become clear that these suggestions have made passwords weaker rather than more secure.
"Much of what I did I now regret," Burr tells The Wall Street Journal. The problem with these recommendations is that they prompt users to create passwords that are still easy to compromise – swapping out certain letters with special characters and capitalizing some letters within a password doesn't really do much to secure accounts against brute force attacks. Moreover, requiring users to reset their passwords every 90 days usually just means that they swap out a single character, keeping the the password pretty much the same and making nothing safer in the process.
The good news is that these recommendations from NIST are now a thing of the past. Published in June, a new paper named "NIST Special Publication 800-63B. Digital Identity Guidelines," offers an entirely new set of recommendations that should hopefully make things a lot more safe in general.
The new rules suggest handy tools like multi-factor authentication, and goes into the different levels of authentication available to users and businesses. The only question now is how widely implemented these new recommendations will be – the ways of the past may be habit for a lot of people by now, so here's hoping those habits aren't yet set in stone.