Here’s something interesting (well, as fun as passwords get), which could make life simpler in future:

The guy who wrote the rules about complex passwords says he was wrong. NIST – the US ‘standards setting agency’ which made the case 15 years ago for complex passwords, frequently changed, now admits they may have been wrong and, worse, it’s been counterproductive and weakened average security.

Changing passwords – a history:

  • In the ‘old days’, network passwords were simple, less than 8 characters, and changed regularly, possibly every 30 days.
  • In recent years, passwords became much longer, more complex and changed less frequently, typically 60-90 days.
  • In future, if your password’s secure enough, the NIST now suggest you may never change them, unless there’s high risk or suspected breach.

Before we explain what’s going on, remember we’ve long said that passwords on their own are dead – and Multi Factor Authentication (tokens, like the ones your bank may provide) are far better security.

What should I do now?

Make no changes to your password policy based on this advice just yet.

Remember:

  1. Never reuse passwords
    Don’t share passwords between sites. Make everything unique.
    A compromise elsewhere means everywhere you used that password is now vulnerable (more below).
  2. Change simple or short passwords
    If any of your passwords are too simple, or under 8-10 characters, change them now.
    Password123 or Company999, for example, must be changed for a longer phrase (preferably 12+ characters), which you can remember.
  3. Be proportionate
    The more sensitive the information you’re protecting, the more complex the password should be and the more frequently you should change it. If you used the same password elsewhere, it’s now too weak: change it.
  4. Use a Password Manager
    (you don’t need to know or even see most your passwords – these generate and autofill unique ones automatically for each site you use)
  5. Use MFA
    Use Two Factor / Multifactor Authentication wherever you can, combined with a password (something you know), these tokens (something you have) hugely improve your security

Why this change?

Forced complexity and too frequent password changes can be counterproductive and may drive the wrong behaviour (eg writing passwords down, which is bad), so says NIST.

NIST is a prominent US government agency, which advises businesses and sets policy on Computer Security. It’s suggested that, to simplify things, their advice about changing network passwords should be revised, but only as long as the passwords are typically more secure than they are now.

Don’t make any changes just yet – we’ll let things settle down first. Anyway, as above, we recommend using Multi Factor Authentication for anything sensitive.