Buried deep in a new draft of NIST guidelines is a shift in password strategy from periodic changes to use of a long "memorized secret," according to a post on the site of security blogger Graham Cluley.
The shift in strategy is contained within a section covering authentication and lifecycle in a proposed draft of the Digital Identity Guidelines, Special Publication 800-63-3, from the National Institute of Standards and Technology (NIST). To avoid complexity, rather than require users to reset their passwords on a periodic basis, the updated best practice now advocates that security administrators instead urge use of what it refers to as memorized secrets. These would encompass strings at least as long as 64 characters, or longer, and be comprised of sentences or phrases that users could easily memorize. The secret could contain word spaces or any other characters the user prefers.
The shift by NIST has long been advocated by a number of security pros, including British security blogger Graham Cluley and Per Thorsheim, CEO of Passordninja AS, a Norway-based identity protection company. But the move has been stymied by security personnel holding onto old password standards, the post said.
The password strategy is outlined in section 10.2.1 of NIST's proposed guidelines:
When users create and change memorized secrets: