For those comfortable with the use of a password safe you can still go overboard on the mixing of characters and use as long as possibile a password as you can. (I still intend to)
The new reccomendations are improvements without any real drawbacks imo.. It helps those who just can't or won't use safes to come up with personalised and secure passwords a lot easier than the previous reccomendations did.
With all these changes happening I see one thing staying the same...
Passwords written on sticky notes, attached to the bottom of a keyboard.
Although the NIST is making recommendations concerning password complexity and negating password expiration (etc.), they will never be able to change the most influencial factor to password security; human behavior.
I.T. security always has been and always will be under threat, a threat that can only be mitigated never resolved by people in our profession. I look forward to the challenge.
No matter how much we talk about changing passwords, or min/max lengths, or using passphrases instead of passwords, etc., without enabling multifactor authentication, passwords will always be weak.
We need to enforce MFA more than password security in my opinion...
I am actually in favor of password (or passphrase) expiring. We have seen tons of breaches over the years and I do not think that would change in a near future. There are really bunch of teenagers who tries these leaked passwords. Many of them have the motive to decrypt or guess it from the password hint questions. If you do not change your password periodically, your leaked password in a 2013 breach can possibly still usable. Password expiry is something that is helpful for system admins to force users to have a better security awareness (not security, but awareness). If users feel that they are part of your security framework, it would be very beneficiary for both ends (as long as you are not storing confidential data unencrypted.)
PCI and other industry-accepted global standards always mention NIST as a baseline, so even if NIST is a national standard, it has a global perspective also. So, you can think that password expiry was something that is old-fashioned, or diminishes security overall, but you must also think of everyone else who does not have a security knowledge as you. This does not mean that you should stop thinking of any progress.
I strongly agree that if the period of changing passwords is too close, the passwords become SecurePass1, SecurePass2, and so on. It is definitely guessable. But there are some people mentioning "teaching". Maybe at your lessons, you could say this is wrong, and tell them clever passphrases are much better - long enough to be secure and easy to remember: LeavesFALLin09 (as in September), ThisGonnaBeACold10 (as October), RememberTheFifthof11! (November)...
It would be very nice to be user-friendly and have the verifier to be strong as possible, but as the previous replies mentioned, you must have a second factor (multi-factor or multi-step) to protect your identity. All passwords (or passphrases) can be bruteforced, it is just a matter of time.
The new guidelines from NIST are a great step forward. Is there any guidance with regard to good passphrases and two factor authentication?
It's all a bit ironic that I've just been forced to change my ISC2 password to include all four character sets. If we're going to use our ISC2 credentials to show that we are at the cutting edge of Information Security, our industry body should be a little more forward-thinking.
If the method can ever be standardized, Gibson's SQRL looks promising as a means to solve the issue of longer passwords written under keyboards.
It's about time this was addressed. The one of this, two of that, no repeat and no characters next to each other leads to more time spent with the identity managers changing passwords and caused user outages at the worst times.
I read an article a couple of years ago so I can't confirm it, but I believe the guy that invented the basis for the current craziness says he wishes he had never written that article.
Random words placed in a way so you can make a passphrase in your head with them has much more entropy and true randomness than any of the previous password requirements.
From and OS or application perspective, these passwords would be a challenge and I expect a lot of time to account for these variations. Keeping to 16 Char has set many DB tables and I would expect these to have to be rebuilt. It is not just a OS fixing the hash sizes, it is a matter of fixing the applications/ middleware and then the OS to enforce. I think the concept is a great idea. The No password hint is even better.. just reset your pw.
"When" this happens... I'll be doing the happy dance. I recently had to create a password that couldn't include any dictionary word combinations. This started with two characters, so even the inclusion of "oN" as part of the password resulted in an unacceptable password. Using a passphrase I can remember without the arbitrary need for special characters and numbers will definitely be a move in the right direction.