There's good news though! NIST recently released a new set of password standards that adds a healthy dose of logic to our existing password rules. The full paper can be read here, but it is not a short read so I'd like to summarize it for you:
- No unnecessary changing of passwords. This means unless there's a breach you shouldn't have to update your password.
- Remove password rules entirely and instead focus on password length. Length is the best way to increase entropy and encourage the use of a passphrase as opposed to a password. Passphrases can also be easier to remember, compare these two: "J32@oukB" vs "Steve pickle dolphin 5 sunglasses!"
- Remove password hints. Unfortunately users will sometimes put their password in the hint, or make the hint very easily guessable.
- Compare the password with a list of "known bad" passwords. This could be a list of the top 1000 most used passwords, or even a collection of millions of weak passwords discovered from data breaches.
- Allow all ASCII and UNICODE characters, even emojis!
- Minimum length should be 8 characters, with a maximum of 64. The practice of preventing someone from using a password longer than 16 characters needs to stop!
- Passwords should be hashed and salted. In the event of a data breach, we should be taking measures to make it difficult for attackers to crack the stolen password hashes.
No comments:
Post a Comment