Bill Burr, the guy that originally recommended password rules at NIST years ago, seems to regret how far that advice traveled and was used.
While it’s possible people will misstate his current views on the subject (proving his point again), at issue is how we simple humans use passwords and follow recommendations.
It’s worth pointing out that all standards can use review and updates over time. When it comes to passwords, we have moved far beyond where we were years ago. We have a significantly larger user-base, many examples of what doesn’t work, and most importantly, great examples of how people (everyday, normal, internet using people) actually deal with password constraints and rules. We take short-cuts. So it may just be time to put the responsibility on systems to create greater security in spite of human nature.
The good news is NIST released updated guidelines primarily focused on longer passwords, fewer forced resets, and the elimination of hints and verification questions. For many, this will be welcome news and appropriate for many environments.
The bad news is your company might not catch up for a while so eNj0y!
