The US government wants to cut out some of its weirdest password rules

News
By published

Can't remember your mothers maiden name? Don't worry, you don't have to any more

Shadowed hands on a digital background reaching for a login prompt.
Image Credit: Shutterstock (Image credit: Shutterstock)

The National Institute of Standards and Technology (NIST) has decided it is time to bin some of the oldest, frustrating, and strange password requirements for the US government.

Among the requirements NIST is looking to do away with are mandatory resets, security questions and the use of certain characters when crafting a secure password.

Good cybersecurity hygiene demands the use of unique and complex passwords to ensure the highest level of security, but if you aren’t using one of the best password managers they can be a pain to remember.

See ya later, @ll1g4t0r

Included in the incomprehensibly huge SP 800-63-4 document released by NIST that lays the compliance groundwork for organizations that interact with the federal government, the agency has removed the need for organizations to enforce a periodic password change policy. Changing passwords regularly was originally brought in as a rule to combat password leaks in the thinking that if a password is leaked and then changed, the old credentials will no longer work if used by an attacker.

The downside of course was that people began using easily memorized passwords of a single word, and then just changing the special characters or increasing the numbers on the end by one (We’ve all done it). Password generators have rendered this practice almost obsolete, as the desired length, special characters, and complexity can be determined by the user to comply with any organizational demands.

The requirement of special characters has also been removed by NIST, and password will no longer need to include some kind of combination of lowercase and uppercase characters, along with special characters. Obviously, NIST has included a clause that states if there is any evidence a credential could have been compromised, then organizations should force a password change.

Additionally, knowledge-based authentication such as memorable places and security questions are to be banned from use. No longer will those interacting with the federal government be forced to remember the name of their first pet or a sibling's middle name in order to reset a password. The SP 800-63-4 Digital Identity Guidelines document is only in its second draft, and is therefore subject to change, but it is a signal that password practices could be about to change for the better.

Via ArsTechnica

More from TechRadar Pro

Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.