NIST proposes barring some of the most nonsensical password rules

Reworded rules for clarity:

1. Min required length must be 8 chars (obligatory), but it should be 15 chars (recommended).
2. Max length should allow at least 64 chars.
3. You should accept all ASCII plus space.
4. You should accept Unicode; if doing so, you must count each code as one char.
5. Don't demand composition rules (e.g. "u're password requires a comma! lol lmao haha" tier idiocy)
6. Don't bug users to change passwords periodically. Only do it if there's evidence of compromise.
7. Don't store password hints that others can guess.
8. Don't prompt the user to use knowledge-based authentication.
9. Don't truncate passwords for verification.

I was expecting idiotic rules screaming "bureaucratic muppets don't know what they're legislating on", but instead what I'm seeing is surprisingly sane and sensible.

How about making it illegal to block copying and pasting on website forms. I'm literally more likely to make a mistake by typing a routing number than copying and pasting it. The penalty for should be death by firing into the sun to anyone caught implementing any such stupidity.

the document is nearly impossible to read all the way through and just as hard to understand fully

It is a boring document but it not impossible to read through, nor understand. The is what compliances officer do. I have a (useless) cybersecurity degree and reading NIST publications is part of my lecture.

Don’t bug users to change passwords periodically. Only do it if there’s evidence of compromise.

About damn time. I log into my company laptop with a smart card and PIN or a PIN/authenticator code, computer autoconnects to the VPN, and I'm good to go. If there's no internet available, the smart card will still get me into my computer. If I'm on my personal computer, I log in with the PIN/authenticator. This morning I tried really hard to find someplace where I had the option of entering a password and there is none, yet I have to change my password every 6 months. At least my IT department lets me use KeePass.

One thing they should change is the word "password." This implies that it's a short string. Changing it to "passphrase" will help people feel comfortable choosing credentials like "correct horse battery staple."

Meanwhile, my company has systems insisting on expiring ssh keys after 90 days...

Interesting that unicode support is suggested. Emoji passwords could be fun.

You heard it: stop imposing composition rules!

i had to login for some functions at work. i believe the minimums were 8 characters, 1 caapitol, 1 number. and we all hated it, because the passwords had to be changed every 90 days, and you couldn't reuse passwords. eventually you are going to run out of things you can reasonably use that you could remember and then would be forced to use some sort of password manager. but OOPSIE you couldn't install any software on the office computer so you would have to resort to writing them down somewhere. it was a mess.

fortunately corporate decided to just change the entire system adopting most of these rules, min 15 characters, no special character, no hints, no forced changing passwords unless you think you have been compromised or just want to change it. we do have to use 2fa to access some things if you aren't sitting at the office computer but other than that people are much happier about passwords now.

All this 2FA, SSH, token / key stuff is garbage. Rectal vascular mapping is the only legitimate security option.

The app my work uses to show 401k, pay, request leave, etc details, uses a ridiculous webapp that's very slow, and on top of this, they nag you literally every 4 months to update your password. I used to be a good boy and memorize a new password each time. Now I just add a new letter into BitWarden and it's my new password. Apparently this is more secure??

Any password length (within reason) and any character should be allowed. It's going to be hashed and only the hash will be stored right? Length and character limits make me suspect it's being stored in plain text.

At roughly 35,000 words and filled with jargon and bureaucratic terms, the document is nearly impossible to read all the way through and just as hard to understand fully.

A section devoted to passwords injects a large helping of badly needed common sense practices that challenge common policies. An example: The new rules bar the requirement that end users periodically change their passwords. This requirement came into being decades ago when password security was poorly understood, and it was common for people to choose common names, dictionary words, and other secrets that were easily guessed.

Since then, most services require the use of stronger passwords made up of randomly generated characters or phrases. When passwords are chosen properly, the requirement to periodically change them, typically every one to three months, can actually diminish security because the added burden incentivizes weaker passwords that are easier for people to set and remember.

A.k.a use a password manager for most things and a couple of long complex passwords for things that a password manager wouldn't work for (the password manager's password, encrypted system partitions, etc). I'm assuming In just summed up 35,000 words.

Cracking an 8-char on an ordinary desktop or laptop PC can still take quite a while depending on the details. Unfortunately, the existence of specialized crypto-coin-mining rigs designed to spit out hashes at high speed, plus the ability to farm things out into the cloud, means that the threat we're facing is no longer the lone hacker cracking things on his own PC.

Permanently Deleted