The United States National Institute for Standards and Technology (NIST) 800-63(b) publication was updated to reveal a very important change. One of the more fascinating examples is not relying on complex passwords.
This has been an interested read. I highly recommend you review their revision of their Digital Identity guidelines. You can find the Special Publication on their page – NIST 800-63(b) (updated link).
In addition to not relying on complex passwords, their findings are having long passwords is better than crazy complexity requirements, including forced password changes every 90 days.
A few other interesting changes include:
- No weird password creation rules
- Checking passwords against a database of known bad passwords
- No more password hints
This makes sense. Creating a lot of unnecessary security requirements for general use encouraged bad password creation and management habits. Security teams everywhere could probably guess most of their user's passwords or better yet, find where they are written down. Those complexity requirements were mostly met at a minimum anyway.
Security researcher Jim Fenton has a great summary of these changes on his SlideShare account.
This is definitely a welcome proposal. I for one hated enforcing those old rules. Unfortunately, I suspect not everyone will be on board. Yes I'm talking about old managers, but I'm also referring to external auditors. Password complexity and change requirements are part of external auditor’s recommendations. So please be sure to check with any regulatory experts before you role out a new policy.
Don't be surprised if you get a “no” with no ETA. These types of things usually go before a board before policy is updated. So expect a little while of discussion, risk analysis, and testing before anything is changed.
Update: So how do you check a password against a known database of bad passwords?
The Have I Been Pwned: Pwned Passwords site is available to help. This site is created by a well known security researcher. Not only are you able to see if someone from your domain has been compromised in a recent data dump, you're also able to check your password against a hefty database. You can potentially use his collected data to build an internal password checker if a coder on your team has spare time (yeah right :)).