Follow Island in the Net on

Passwordless Future

Gerald Beuchelt, the Chief Information Security Officer at LogMeIn talks about how changes in authentication may deliver a passwordless future.

Additionally, eliminate the frequent password change requirements, only require password changes when there was a known or suspected compromised of account credentials, and scan new and existing passwords against known lists of compromised accounts credentials.

NIST password guidlines

The new NIST guidance on passwords recommend that:

  • passwords never expire
  • no required character complexity or variety rules be implemented
  • the maximum length for passwords be set to 64 characters
  • the minimum length for passwords be set to 8 characters
  • passwords are checked against known bad passwords, banned lists, etc.
  • no hints or knowledge-based questions be provided to someone trying to log in (like “Who was your best friend in high school?”)
  • passwords only are changed when forgotten

I would add two-factor authentication to that. Where possible, my online account passwords are sixteen characters or longer. I change them after notification of a data breach or in some cases, once a year. Where feasible, I have enabled two-factor or two-step authentication for my accounts. Even on my iMac at home, I have a 24 character password. I use a different password for each online account. I use a password vault application such as 1Password or LastPass to track my passwords. I protect the password vault with a sixteen character password that I don't use anywhere else.