Many were left amazed by the new password guidelines that were proposed by the National Institute of Standards and Technology (NIST), and the reason is mostly the progressive changes that are included.
However, the most surprising part were not the new changes, but the lack of attention from literally everyone, from the blogosphere to official media.
NIST’s rules aren’t mandatory for the nongovernmental organizations, true, but that doesn’t mean that they’re bad or usually ignored. In fact, many companies and firms use them as a base for creating their own policies. The changes that NIST brought should affect everyone who does anything on the web, and yet, the rules are hardly even mentioned anywhere, even though they’ve been finalized and issued on March 31.
Three main changes that were proposed include:
- No more periodic password changes. Apparently, the research has proved that changing passwords is quite a burden on many companies, users, and IT departments as well, and not only did it not help to improve security, but it actually made it worse.
- No more imposed password complexity. Again, it’s believed that things like this only provided a false sense of security, when in reality you actually benefitted very little from such measures.
- Mandatory validation of newly created passwords. Basically, passwords will have to be approved, because passwords like ‘password’ or ‘123456789’ may seem clever to someone because who might be thinking ‘who would even think to try that’, but things like that are really easy for hackers to figure out.
So the question remains – if the rules are important enough to be included, why is no one talking about this?
Well, for once, people are greatly disappointed with passwords. For years, they’ve followed all those rules and guidelines on how to create the strongest password, or how to upgrade their security by changing them regularly, and all the time all they were hearing as a result were constant security breaches. They just lost the belief that these rules mean anything.
Another reason might be the increased use of two-factor authentication. Who cares about their password when a potential hacker would need their phone to access any of their accounts. If anyone tries to log in, the code will be sent to the phone, and without it, there’ll be no login. So passwords are pushed to the background.
Finally, many people have started relying heavily on password managers, that guard all of their passwords, and even create new ones if needed, so why bother doing anything about them ourselves. This all works on PCs though, and they still have to be careful when they use their smartphones, for example.
And just like that, password security isn’t taken seriously anymore, since there are other ways of achieving the same level of safety. Are these changes even important? Well, of course. We must remember that passwords will probably be used forever, no matter what another way of securing your device you use, even if it includes fingerprints or facial recognition, passwords will always be relevant, and if there are even the slightest improvements, we should definitely pay attention to them.