May the Fourth be with you on World Password Day

Get ready to be bombarded with “May the Fourth be with you” puns regarding your passwords and identity, as this year May 4 is not only Star Wars Day but also World Password Day.

Leading up to World Password Day, I received dozens of emails about how bad our password hygiene still is, studies about poor password management, reminders to change passwords, pitches about password managers and biometric options to replace passwords, reminders to use multi-factor authentication (MFA) as well as the standard advise for choosing a stronger password. Some of that advice contradicts NIST-proposed changes for password management.

Although NIST closed comments on for its Digital Identity Guidelines draft on May 1, VentureBeat highlighted three big changes. Since this is NIST and changes to password management rules will eventually affect even nongovernment organizations and trickle down to affect pretty much everyone online, it’s important to look at them. Those changes, according to VentureBeat, boil down to:

No more periodic password changes. No more imposed password complexity. Mandatory validation of newly created passwords against a list of commonly-used, expected, or compromised passwords.

Right now, NIST is working on developing SOFA-B Framework; that is short for the project’s full mouthful of Strength of Function for Authenticators – Biometrics. It will establish a standardized method for comparing and combining authentication mechanisms and “focuses on three core concepts: False Match Rate, Presentation Attack Detection Error Rate, and Effort.” By creating SOFA-B, NIST hopes to “achieve a level of measurability similar to that of entropy for passwords.”

Leave a Reply

Your email address will not be published. Required fields are marked *