Standards body recommends removing periodic password change requirements

CSO Online reports that The National Institute of Standards and Technology’s (NIST’s) draft guidelines change some long-established best-practices — practices that have been ineffective for many years.

Changes include:

  • Remove periodic password change requirements
  • Drop the algorithmic complexity song and dance
  • Require screening of new passwords against lists of commonly used or compromised passwords

Elaborating further:

The reality is that passwords are weak no matter how often they are changed or how difficult they are, and people usually have only a variant of one or two passwords. Man in the middle or man in the browser hacks can take your password even if it is extremely lengthy and complicated – IT administrators can see your passwords, your bank can see your passwords,” [Eric Avigdor] said.

He said the guidelines recognize that the way to solve the password problem is to accept that passwords are weak and add on other complementary factors of authentication, whether mobile or hardware OTP tokens as well as PKI based USB tokens or smart cards.