Most users perfectly know the rules to follow to create safe passwords, in accordance with the recommendations that experts and institutions give regularly. The reader already knows: minimum 8 characters, use of capital and lowercase and special characters. That is, use Complex passwords that are difficult to find out, but also end up being equally difficult to rememberand change them frequently given the usual leaks of large user databases. But this approach implies, in the end, a vulnerability that cybercriminals can take advantage of and that It is better to avoid. That is what the National Institute of Standards and Technology (NIST) in the United States in the most recent review of their safety recommendations with passwords, in which The mixture of different types of characters or the periodic change of them no longer appears.
When the Nist first presented its recommendations, in 2017, bet on complexity as protection in front of cybercriminals. However, more complex passwords They do not necessarily equal more security. The most recent guidelines for credential service providers (CSP) include Stop demanding users to configure passwords using specific characters (such as specials), and imposing periodic passwords (commonly every 60 or 90 days). In addition, CSP has been indicated that stop using authentication based on security questions when restoring passwords.
The NIST now recommends lending More attention to password lengthsince the lengths are more difficult to decipher through brute force attacks. Better than a succession of random characters is A phrase that, without being predictable, is easy to remember but difficult to guess.
Why you should not periodically change your passwords
This institute also now recommends that Password restoration is carried out only in case of credential violation, but not as a periodic security practice. Forcing users to change their passwords has often caused opt for weaker passwordsresorting to easy variations to guess and restore them in different services, reducing their safety. When passwords are long and random enough, and there is no evidence of a security gap, forcing a change could potentially, potentially, led to minor security.
Other NIST recommendations include a minimum length of 8 characters, 15 in some cases, allow a maximum number of 64 passwords, as well as the inclusion of characters ASCII and Unicode In them.
The NIST is not the only institution that bets on this approach, after years of recommending otherwise. He National Cyber Security Center from the United Kingdom (NCSC) a similar approach since 2018, since regular password changes lead to users reuse passwords with minimal changesas adding one more character, making it easier for cybercriminals.
Another recommendation, both of the NIST and the NCSC, is to always enable the two steps verification that it requires confirming, through an SMS sent to the mobile or an authentication application such as Google Authenticator, that the user is the legitimate owner of an account.