Data security - Myths busted

June 29, 2017

     Last year, I wrote about a security myth that frequently changing passwords is good for security (see blog post).

     The Trusted Identity Group at the National Institute of Standards and Technology released on March 31, 2017 a revised version of its Special Publication 800-63B, Authentication & Lifecycle Management. Although the NIST Guidance is only intended for Federal agencies, its influence is felt throughout the IT sector. Among its recommendations, this document addresses two security myths concerning passwords and updates current best practices.

                  First, the Publication states that passwords "SHOULD NOT ... be changed arbitrarily                  (e.g., periodically) and SHOULD only require a change if the subscriber requests a change              or there is evidence of compromise of the authenticator" (section 5.1.1.2).

 

     Second, the Publication states that other a minimum length requirement "no other complexity requirements for memorized secrets SHOULD be imposed" (section 5.1.1.1) and "composition rules (e.g., mixtures of different character types)" SHOULD NOT be imposed on passwords (section 5.1.1.2). 


     The Publication defines:

 

The terms “SHOULD” and “SHOULD NOT” indicate that among several possibilities one is recommended as particularly suitable, without mentioning or excluding others, or that a certain course of action is preferred but not necessarily required, or that (in the negative form) a certain possibility or course of action is discouraged but not prohibited.

Please reload

Featured Posts

Timely marketing

March 16, 2020

1/2
Please reload

Recent Posts
Please reload

Archive