Have We Been Doing Passwords All Wrong?

A user’s personal information is only as secure as the method used to protect it and the most common method of protecting information is the good old password.

The problem with passwords is that they rely heavily on the user’s ability to create, protect and update them.

The new NIST (National Institute of Standards and Technology) guidelines have made some new recommendations that have left many security advisors with eyes agape.

The new recommendations from NIST removed two (2) commonly used practices:

  • No more password expiration – IT security professionals were advised to force password expirations after a preset amount of time like 60 – 90 days. This is no more and is recommended to change passwords only after a breach has been discovered. 
  • Make the password user friendly – Recently the complexity of passwords has made password usage a pain and remembering them almost impossible. NIST believes that the password should be user friendly in that it should be easy to remember but hard to guess. This makes it less necessary for someone to have overly complex passwords that they are constantly needing to reset because they’ve forgotten it.

These changes may at first seem less than logical, but the implementations are based on research and statistical data gathered that proves that the previous methods were only making things more difficult for the user.

In summary, security is not perfect and therefore requires constant reminders and sensitization to become compliant enough to protect your data.