5 password protection fallacies

The National Institute of Standards and Technology (NIST) has recently updated certain password guidelines that were previously thought to improve security.1These new recommendations aim to reduce vulnerabilities that result from the enforcing of certain password requirements.

According to NIST, the following security protections are no longer considered necessary when establishing your employees’ or accountholders’ password requirements:

Password Protection Fallacy #1: Require Special Characters in Passwords

NIST now suggests companies eliminate special character requirements, stating the following regarding the adverse effect these rules can have: “Users respond in very predictable ways to the requirements imposed by composition rules. For example, a user that might have chosen ‘password’ as their password would be relatively likely to choose ‘Password1’ if required to include an uppercase letter and a number, or ‘Password1!’ if a symbol is also required.”

NIST also now recommends allowing any character to be incorporated into passwords, versus eliminating the use of certain ones (e.g. spaces and dashes).


continue reading »