By Kevin Edge
OpenClipart-Vectors / Pixabay
The days of having to remember a series of complex passwords may soon be over!
So, what’s changed, you ask? A draft of recommendations from the National Institute of Standards and Technology (NIST, www.nist.gov) is.
NIST is recommending three changes to password management for organizations. These changes are not mandatory (except for governmental agencies), but are worthy of consideration to help your employees perform more productively and ease some of the burden on your IT staff. You can read the full special publication on the NIST website; Appendix A provides a summary of information on the strength of memorized secrets.
- No more periodic password changes
According to the NIST report, passwords don’t need to be changed “arbitrarily,” (which it defines as periodically) “unless there is a user request or evidence of [a] compromise.” This means that once a user has created a password, he or she doesn’t have to change it, say, every three months and then try to remember the new one.
- No more complex passwords
NIST also recommends not requiring passwords to be complex by including numbers, special characters and the like.
NIST notes that “analyses of breached password databases reveals that the benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe.”
- Mandatory validation of newly created passwords
NIST indicates that when a new password is created, it should be validated against a list of common problem-prone passwords such as “password” and “123456789” that are easily guessed by hackers.
So, why is NIST making these recommendations?
Users are seriously burdened with trying to remember multiple passwords and complex rules for password creation, in addition to having to change the passwords on a regular basis. Even with all of these “safeguards” in place, it hasn’t stopped security breaches.
With the introduction of multi-factor identification (MFA), passwords alone are not guarding the gate. MFA combines the password (which is “something you know”) with a second factor (which is “something you have,” such as a mobile phone or token) or, in some cases, “something you are” (such a fingerprint or face recognition). This means you can use the same password over and over for different systems; the MFA will help to authenticate that the user is authorized to access the system.
In addition, there are a number of free and paid password management software programs available to help users. These programs can do many things, including generating and storing passwords. Users then only need to remember one password to unlock the vault of passwords managed by the software.
Source:: Business 2 Community