Thursday, June 29, 2017

Data security - Myths busted

     Last year, I wrote about a security myth that frequently changing passwords is good for security (see blog post).

     The Trusted Identity Group at the National Institute of Standards and Technology released on March 31, 2017 a revised version of its Special Publication 800-63B, Authentication & Lifecycle Management. Although the NIST Guidance is only intended for Federal agencies, its influence is felt throughout the IT sector. Among its recommendations, this document addresses two security myths concerning passwords and updates current best practices.

     First, the Publication states that passwords "SHOULD NOT ... be changed arbitrarily (e.g., periodically) and SHOULD only require a change if the subscriber requests a change or there is evidence of compromise of the authenticator" (section

     Second, the Publication states that other a minimum length requirement "no other complexity requirements for memorized secrets SHOULD be imposed" (section and "composition rules (e.g., mixtures of different character types)" SHOULD NOT be imposed on passwords (section

     The Publication defines:
The terms “SHOULD” and “SHOULD NOT” indicate that among several possibilities one is recommended as particularly suitable, without mentioning or excluding others, or that a certain course of action is preferred but not necessarily required, or that (in the negative form) a certain possibility or course of action is discouraged but not prohibited.
- Henry Park

No comments:

Post a Comment