Slashdot Mirror

← Back to Stories (view on slashdot.org)

NIST's Draft To Remove Periodic Password Change Requirements Gets Vendors' Approval (csoonline.com)

Posted by msmash on from the going-forward dept.

An anonymous reader writes: A recently released draft of the National Institute of Standards and Technology's digital identity guidelines has met with approval by vendors. The draft guidelines revise password security recommendations and altering many of the standards and best practices security professionals use when forming policies for their companies. The new framework recommends, among other things: "Remove periodic password change requirements." There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security, said Mike Wilson, founder of PasswordPing. NIST said this guideline was suggested because passwords should be changed when a user wants to change it or if there is indication of breach.

3 of 149 comments (clear)

  1. Re:Good move by EvilSS · · Score: 3, Informative

    even windows server won't let you do that with a simple AD configuration change

    Just using "one" "two" "three" will usually be enough of a difference to get past most password uniqueness policies

    --
    I browse on +1 so AC's need not respond, I won't see it.
  2. Re:The B word by Opportunist · · Score: 3, Informative

    Biometrics are great for identification, but very, very poor for authentication. As soon as this finally settles in, we can start talking about using it.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Ass Covering, Delusional Password Policies by FeelGood314 · · Score: 4, Informative

    Most users are expected to know 22 paswords

    Seriously, fuck you, to any site admin who contributes to this.

    Real people can remember 2 or three passwords and that is all they will bother to remember. They will have maybe 2 long term secure passwords for things they personally value (and guess what, work isn't one of those things) and they will reuse the same password or variants of it on every single other system they use. No user will memorize a new password if they are expected to change it regularly. They will create the easiest password possible that meets the systems requirements.
    This is universal and everyone knows it. The previous company I worked for was a well trusted security company with a policy of passwords that had to change every 90 days, use an uppercase letter, lower case letter, number, symbol and had to be at least 8 characters. I did a survey. Over 2 thirds of engineers and 6 out of 6 in HR admitted their password was a common 6 letter English word, first letter capitalized, a symbol and a number that they incremented.