Not sure if the new password rules are going to be effective given the public community (personal accounts) such as online banking, online shopping, brokerage accounts, etc., for the most part, have no password expiration requirements, many cause the user to employ 3 out of 4 character types (upper, lower, number, special characters), most limit the use of all special characters. But the problem as I see it is, the frustration of changing passwords that are significant complex. I tend to use passwords (when the application permits) that look like my 2 year old granddaughter was typing or my cat was walking across the keyboard. In other words, ones that are so weird, the cracking tools would give up or bypass. As a retired IT auditor, it was always my experience that clients will generally go along with the Best Practice if you can substantiate its use.
The whole point is in educating the end user, Respect the complexity/aging won't HELP as we still see stolen pwd (brute force, rainbow tables....etc) I have seen examples where end users where lazy and adding a special character each time they were forced to change their pwd. Or the best, the least effort when chooing compliant pwd : "Abcdefg.".
the 57 one is a famous actor, the password was tatters.
What I do is create a table of printable askii characters and toss that in +-=_@#$%^&;:,.<>~?!|"'*` with upper case, lower case, and 0-9 at which point, I can generate a password with any number of characters, turn off the special characters for sites that broken security, and I don't bother to remember any of the passwords, I simply generate the passwords and change them at random intervals. Which I can save as notes in the password tables.
Asking your users to change the password every so many days makes it boring. People get used to logging in with a certain password and when they have to change it, it causes problems trying to forget the old password and remember the new one. Which creates extra work for the IT team resetting the password and the people bothers other employees while locked out of their machine. We need a way to create a new password while allowing the old one to work until the person thinks they have the new one remembered and can lock in their new password as the only password that works for that account. But having people either carry a smart phone or a key generator is likely a good idea, or simply as others have said make sure that the physical security is good enough that they can use less secure passwords on site and more secure passwords to connect to off site resources.
I am on board with the new NIST guidance. I expect having some interesting conversations with our customers about these changes. Many of them still have the older recommendations in their contracts.
This should not be seen as a ruling, its advice and not bad advice at that. We must always remember though that security is not a blanket that fits all, it needs to be appropriate to the information we are protecting and our password approach must be flexible enough to provide the necessary protection.
Passwords have had their day though so we do need to provide users with a better and more secure authentication experience.
I prefer the advice coming from the UK with regards to this evolution - https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach
This provides a good balance, we may reduce password security (by our old thinking) but what we must do is to counter that by putting more emphasis in our IT processes such as through increased or targeted monitoring.
I am with you on this. I'm wondering if there is a mathematician here in the group who could show "aaaaaaaaaaaaaa" is more secure that "$(@^$)&%".
I personally dislike the "this password has been used recently and cannot be used" rule. This is close to the no more password expiration rules.