Slashdot Mirror

← Back to Stories (view on slashdot.org)

NIST's Draft To Remove Periodic Password Change Requirements Gets Vendors' Approval (csoonline.com)

Posted by msmash on from the going-forward dept.

An anonymous reader writes: A recently released draft of the National Institute of Standards and Technology's digital identity guidelines has met with approval by vendors. The draft guidelines revise password security recommendations and altering many of the standards and best practices security professionals use when forming policies for their companies. The new framework recommends, among other things: "Remove periodic password change requirements." There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security, said Mike Wilson, founder of PasswordPing. NIST said this guideline was suggested because passwords should be changed when a user wants to change it or if there is indication of breach.

5 of 149 comments (clear)

  1. Good move by phresno · · Score: 3, Interesting

    I welcome the return to sanity.

    1. Re:Good move by RightwingNutjob · · Score: 2, Interesting

      You know what? If I keep my stickie note in a safe with a controlled combo (just me and the site locksmith), that's better than a mess of key escrows and decryptable passwords and all the other MS junk that people who don't know any better pay money for.

      People who live their whole lives on the internet forget how damn difficult it is to hack and steal a piece of paper in a secure metal container. Actual hacksaws are required. That's real security that doesn't depend on some half-literate outsourcee in India not making a deliberate mistake.

  2. Sudden breakout of common sense by Anonymous Coward · · Score: 3, Interesting

    Randomly generated password of any given strength has the same probability of being guessed as any another equivalently strong random password. Only reason for strong password change is breach. Oh, and, my favourite pet peeve: common requirement that passwords must have some minimum number of characters from few subsets of all printable characters actually makes them much weaker.

  3. Re:What if... by PCM2 · · Score: 4, Interesting

    Multi-factor?

    --
    Breakfast served all day!
  4. Well two things by Sycraft-fu · · Score: 4, Interesting

    1) If that is a big concern, use multi-factor. When real authentication security is important, multi-factor is important. You can't go and say an account is super important and needs high levels of protection but then refuse to go multi-factor.

    2) How long are you ok with an adversary having access to your systems? Is 6 months ok? 12? Those are usually what you see password change requirements set at. Are you really ok with someone having unauthorized access to your systems for 12 months, but that's it, any longer is an issue? Of course not. But to change it often enough to keep an unknown compromise to what you'd consider acceptable users would need to change passwords multiple times a day.