NIST – a new set of password policies and guidelines
I stumbled across this article on NIST’s new password guidance this morning, I was impressed. The rules contain a lot of common sense practices, but I also challenge everyday practices that are currently in use. The highlights for me are:
- Cease using SMS to deliver tokens: It is too easy for someone to intercept the codes.
- Death to knowledge based questions: Mothers maiden name? easily discovered. Favourite book as a child? this changes depending on the mood I’m in.
It looks like the official page has been changed to a “coming soon” style page whilst the process of formalising the rules progresses.
As usual, Hacker News has a thorough discussion and it raises some excellent points:
- Salting is going to be pain for the companies that use active directory.
- The guidelines conflict with PCI compliance.
- Theatre and security are so inter-twined it is hard to tell where one starts and the other stops.
If you’re reading this in the future then the new NIST passwords guidance may now be online.