NIST is updating its guidelines around passwords to dispel some persistent myths once and for all.
There is a carload of rules about how to compose the perfect password. Some of those rules are long outdated, yet they persist. NIST, the standard-setting agency of the U.S. government, therefore dedicates in its updated Digital Identity Guidelines a section on passwords.
NIST’s guidelines are intended to identify technical requirements and best practices to ensure the validity of methods used to verify digital identities online. Organizations that communicate with the federal government online must comply with the requirements. We certainly don’t recommend reading the document in full. It counts around 35,000 words and is packed with technical and bureaucratic jargon.
Do’s and don’ts for passwords
The chapter on passwords includes some tips that would be very helpful to anyone. NIST lists some do’s and don’ts for using passwords, for both personal and work accounts. This further distinguishes so guidelines that are recommended(Should/Should not), what is a mandatory requirement(Shall) and what is absolutely out of the question (Shall not).
In the category of “password rules that should disappear as soon as possible,” NIST puts, among other things, changing passwords regularly. Indeed, it is a myth from an earlier era that you should change your passwords every few months.
Research has shown that, over time, this causes people to start choosing weaker passwords. A password should, with the emphasis on should, only be changed if there are any indications that the password has been compromised, and preferably as soon as possible.
Another myth that NIST likes to dispel is that imposing certain characters (punctuation, capital letters, numbers, etc.) automatically leads to stronger passwords. The length of a password says much more about its strength. If passwords are long and random enough, it makes no sense to mandate or restrict the use of certain characters. A password should have at least eight characters; according to NIST, 15 characters is the recommended minimum.
read also
NIST wants to get rid of useless password rules
NIST’s two other Shall not rules are requiring a security question, such as “What is your first pet’s name?” and keeping hints to your password in locations accessible to unauthenticated individuals.