The best password advice right now (Hint: It's not the NIST guidelines)

Short and crackable vs. long, complex and prone to reuse? The password debate rages on, but this columnist has a change of mind.

Current Job Listings

The contrary password policy recommendations that the National Institutes of Standards and Technology (NIST) released in its Digital Identity Guidelines, Special Publication 800-63-3 has generated much controversy. Although it contains a ton of great, non-controversial authentication information, many consider the new recommendations radically wrong.

My own thinking on the NIST password policy has changed, but before I get into that, let me review what I believe to be the best password policy advice.

What your password policy should be

Here’s what anyone’s password policy should look like, if you don’t have compliance concerns:

  • Use multi-factor authentication (MFA) where possible
  • Where MFA isn’t possible, use password managers where possible, especially if they create unique, long, random passwords for each security domain
  • Where password managers aren’t possible, use long, simple passphrases for passwords
  • In all cases, don’t use common passwords (e.g., “password” or “qwerty”) and never reuse any password between different sites.

To continue reading this article register now

$500 for your thoughts? Take our 2019 Security Priorities survey today!