Say goodbye to the days of using the “@” symbol to mean “a” in your password or replacing an “S” with a “$.”
The U.S. National Institute of Standards and Technology (NIST) recently announced new guidelines for the ways website and organizations should handle password creation and management that will do away with many of the “common sense” things we’ve thought about passwords for years now.
Here is a tl;dr version of what these proposed guidelines say:
Passwords need to be at least eight characters long, and sites should have an additional recommendation to make them at least 15 characters long. Credential service providers (CSPs) should allow users to make their passwords as long as 64 characters. CSPs should allow ASCII and Unicode characters to be included in passwords. Rather than setting a regular cadence for changing passwords, users only need to change their passwords if there is evidence of a breach. There should not be requirements to implement a certain number of numbers or special characters into passwords. (Ex., “Password12345!”) Do away with knowledge-based authentication or security questions when selecting passwords. (Think: “What was the name of your college roommate?”)Now, we should make a few things here clear. Just because NIST is proposing these doesn’t mean anyone *has* to abide by them, these are merely guidelines that some of the larger tech companies in the U.S. can choose to adopt. And these are proposed rules for the time being, meaning the public and tech companies have time to weigh in on the matter before they are codified in any way.
While these proposals may seem counterintuitive, it should make traditional text-based login credentials more manageable for users and admins. latest password standards weren working
