Password rules are about to change. Traditionally, the recommendation has been to have complex passwords that you change frequently. NIST (National Institute of Standards and Technology) is reviewing the recent draft proposal and is expected to change the recommendations. It is expected that it will no longer require frequent password changes. The biggest changes will have to deal with other authentication methods and not just passwords. I came across a great post by CSO that offers some very practical advice about passwords. The practical password policy suggests:
- Implement multi-factor authentication for all accounts.
- Create awareness campaigns for password security that discourage reusing passwords and writing down passwords, and instructs employees to protect multi-factor authentication devices and passwords.
- Allow users to use any password of their choosing.
I agree with using multi-factor authentication wherever possible. If you don't use multi-factor, then the following should be your password policy.
- Continue to enforce periodic password changes
- Implement NIST guidance preventing guessable passwords
- Implement password login rate limiting
- Implement awareness campaigns that highlight how to create strong, but memorable passwords, prohibit passwords reuse, protect the passwords, and prevent phishing
- If you do not require passwords with special characters, passwords need to be longer to provide the same level of security
E-mail: firstname.lastname@example.org Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology