The best password advice right now (Hint: It's not the NIST guidelines)

Short and crackable vs. long, complex and prone to reuse? The password debate rages on, but this columnist has a change of mind.

The contrary password policy recommendations that the National Institutes of Standards and Technology (NIST) released in its Digital Identity Guidelines, Special Publication 800-63-3 has generated much controversy. Although it contains a ton of great, non-controversial authentication information, many consider the new recommendations radically wrong.

My own thinking on the NIST password policy has changed, but before I get into that, let me review what I believe to be the best password policy advice.

What your password policy should be

Here’s what anyone’s password policy should look like, if you don’t have compliance concerns:

  • Use multi-factor authentication (MFA) where possible
  • Where MFA isn’t possible, use password managers where possible, especially if they create unique, long, random passwords for each security domain
  • Where password managers aren’t possible, use long, simple passphrases for passwords
  • In all cases, don’t use common passwords (e.g., “password” or “qwerty”) and never reuse any password between different sites.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!