I recently received a password policy for review that seems to be taking us back a decade. We've already had a solid policy in place for years, so I'm confused as to why a new one is needed. The current draft doesn't mention biometrics or Single Sign-On (SSO) and only briefly touches on Multi-Factor Authentication (MFA). I'm curious—what password policies are others using nowadays? Can anyone share some templates or best practices?
5 Answers
You might want to check out the NIST authentication guidelines. They're quite comprehensive and push for modern practices, including security without frequent password changes. Here's a link: [NIST guidelines](https://pages.nist.gov/800-63-4/sp800-63b.html)
Exactly! It feels like a constant fight trying to convince people that we need to adapt.
True, but security evolves. It's about balancing user experience with safety.
Our requirement is a 16-character password that includes upper and lower case letters, special characters, and numbers, changed every year. It's not ideal, but user feedback has helped us switch to this more complex yet less frequent change policy, which they tolerate better. Users still dislike it though!
I think setting passwords to expire once a year contributes to users choosing terrible passwords just to comply. We need to get rid of that practice!
Yeah, I heard NIST suggested dropping those extra complexity requirements altogether... maybe we should consider that?
Or, we could just make one account for everyone with a single password that never expires! Sounds secure, right? Just kidding!
We ditched passwords entirely last year! Now everyone uses FIDO tokens or Windows Hello. It’s been a game changer, but some places are still stuck on old policies. Root passwords get rotated yearly. Everyone loves how easy it is—once they get past the initial learning curve!
I miss the simplicity of just using a smart card to log in at the office. But at my new job? They are so hesitant to make that switch—driving me nuts!
What do you do for shared devices, though? Do you just use PINs?
The future is passkeys! Just think about how secure they are compared to outdated password policies. We need to push for more adoption of that tech. It’s about time.
Are people actually adopting passkeys widely, though? It seems like a tough sell to leadership who are used to seeing traditional systems.
Yeah, I read those, but aren't we just supposed to never change our passwords anymore? That seems a bit risky, right?