On Changing Password Guidance: A Good First Step From Microsoft

Passwords, as a security solution, have become untenable. Whereas 15 years ago you might only have needed to remember two passwords, your ISP or your work password, now we have a plethora of passwords to keep track of. Power utility websites, water utility websites, bank websites, online payment websites, Facebook, Instagram, Twitter, Pinterest or any number of other sites that have our information. The guidance has often been to make passwords complex, alphanumeric, contain special characters, be as long as possible, oh and make them easy to remember but don’t reuse passwords and never write them down.

That’s why I was heartened to see this recent guidance from Microsoft regarding some rethinking about passwords and how we create them. Take a moment to read it:

https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf

Of note are the password guidance items for IT administrators that depart from conventional wisdom:

1.     Maintain an 8-character minimum length requirement (and longer is not necessarily better).

2.     Eliminate character-composition requirements.

3.     Eliminate mandatory periodic password resets for user accounts.

The paper explains the logic behind this guidance, but it’s worth noting that the data and rules around keeping accounts more secure are shifting. Secure platforms are no longer placing the onus entirely on the user to follow hard-set, complex rules. Instead, they recognize the challenge of trying to use a perfectly legitimate account easily while helping to keep it safe.

The paper also contains good guidance for end users to note activity on their accounts and enable two-factor authentication where possible.

I’m glad to see someone like Microsoft taking this step.