Last week, NIST released SP 800-63-4, the latest version of its Digital Identity Guidelines. At roughly 35,000 words and filled with jargon and bureaucratic terms, the document is nearly impossible to read all the way through and just as hard to understand fully.
A section devoted to passwords injects a large helping of badly needed common sense practices that challenge common policies. An example: The new rules bar the requirement that end users periodically change their passwords.
More challenging still is complying with password rules imposed by employers, federal agencies, and providers of online services. Frequently, the rules - ostensibly to enhance security hygiene - actually undermine it.
Choosing strong passwords and storing them safely is one of the most challenging parts of a good cybersecurity regimen. And yet, the nameless rulemakers impose the requirements anyway.
Collection
[
|
...
]