Security News NIST proposes barring some of the most nonsensical password rules

Gandalf_The_Grey

Gandalf_The_Grey

Level 82
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,189
Content source
https://arstechnica.com/security/2024/09/nist-proposes-barring-some-of-the-most-nonsensical-password-rules/
The National Institute of Standards and Technology (NIST), the federal body that sets technology standards for governmental agencies, standards organizations, and private companies, has proposed barring some of the most vexing and nonsensical password requirements. Chief among them: mandatory resets, required or restricted use of certain characters, and the use of security questions.

Choosing strong passwords and storing them safely is one of the most challenging parts of a good cybersecurity regimen. More challenging still is complying with password rules imposed by employers, federal agencies, and providers of online services. Frequently, the rules—ostensibly to enhance security hygiene—actually undermine it. And yet, the nameless rulemakers impose the requirements anyway.
Click to expand...
A section devoted to passwords injects a large helping of badly needed common sense practices that challenge common policies. An example: The new rules bar the requirement that end users periodically change their passwords. This requirement came into being decades ago when password security was poorly understood, and it was common for people to choose common names, dictionary words, and other secrets that were easily guessed.

Since then, most services require the use of stronger passwords made up of randomly generated characters or phrases. When passwords are chosen properly, the requirement to periodically change them, typically every one to three months, can actually diminish security because the added burden incentivizes weaker passwords that are easier for people to set and remember.

Another requirement that often does more harm than good is the required use of certain characters, such as at least one number, one special character, and one upper- and lowercase letter. When passwords are sufficiently long and random, there’s no benefit from requiring or restricting the use of certain characters. And again, rules governing composition can actually lead to people choosing weaker passcodes.
Click to expand...
arstechnica.com

NIST proposes barring some of the most nonsensical password rules

Proposed guidelines aim to inject badly needed common sense into password hygiene.
arstechnica.com arstechnica.com
 
  • Like
Reactions: silversurfer and simmerskool

Similar threads

I
    • Like
    • Applause
Security News LastPass enforces a 12 character Master Password minimum
Replies
1
Views
2,522
Security News
Ink
I
Gandalf_The_Grey
    • Like
    • Wow
    • HaHa
Security News Passwords disappear for millions of Windows users thanks to Google
Replies
3
Views
2,850
Security News
nicolaasjan
nicolaasjan
Gandalf_The_Grey
    • Like
Security News FBI tells public to ignore false claims of hacked voter data
Replies
4
Views
1,697
Security News
bazang
bazang

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top