‘Forget enforced password complexity. Forget forced periodic #password changes—These don’t work! Do have passwords checked against a list of commonly “hacked” #passwords that regularly show up in stolen account data troves…’
Here is a quick look at the three main changes the NIST has proposed:
No more periodic password changes. This is a huge change of policy as it removes a significant burden from both users and IT departments. It’s been clear for a long time that periodic changes do not improve password security but only make it worse, and now NIST research has finally provided the proof.
No more imposed password complexity (like requiring a combination of letters, numbers, and special characters). This means users now can be less “creative” and avoid passwords like “Password1$”, which only provide a false sense of security.
Mandatory validation of newly created passwords against a list of commonly-used, expected, or compromised passwords. Users will be prevented from setting passwords like “password”, “12345678”, etc. which hackers can easily guess.
So why haven’t we seen any coverage of the changes considering how much of a departure they are from previous advice — and considering every average user is going to be affected?