A new standard should make passwords much easier
After decades of companies pressuring people to create complex passwords, then forcing them to come up with a new one every 60-90 days, new digital authentication guidelines are providing some potential relief.
Called NIST 800-63b, the guidance will force everyone to rethink how we approach security with passwords.
What is great about the new guidance? It stipulates changing passwords only if there is a sign of compromise or it is in a compromise dictionary; it stops time-based password expiration; and it relaxes complexity rules.
When it comes to passwords, we all agree there needs to be a better way. While adding two-factor authentication helps improve security, we are still stuck with users creating insecure passwords. It is human nature to do as little as possible when it comes to secure passwords.
NIST takes a giant leap when it comes to passwords. Imagine if we did not need a password. WhatsApp does this really well.
When I set up WhatsApp web on my desktop it involved no passwords. A QR code appeared. I scanned the code with my phone and like magic, it just worked. If only we could implement a process this simple for every login.
My hope is more organizations clear their mind and learn more about the guidance from NIST on password policies. For many, it requires a change in mindset but once you concede what we have been doing is not working, you see the value of their recommendations.
Ultimately, passwords will go away as soon as we find an easy and cost-effective way for mutual authentication that can be universal and as easy as WhatsApp.