Forward Pass

In the wake of a Wall Street Journal article where Bill Burr, now-retired developer of many of the modern password standards, says that he may have been wrong, Shelly Palmer, CEO of strategic advisory, technology solutions and business development practice Shelly Palmer Group, writes about the newly released National Institute of Standards and Technology (NIST) guidelines regarding password security, and how they have evolved over the years.

The original paper, "NIST Special Publication 800-63", told users to develop cryptic passwords with special characters to avoid being hacked. Post Sony hack in 2014, says Palmer, things changed and split this thinking into two camps. "Camp one was advocating the creation of more-cryptic passwords and changing them often (like monthly), and camp two began advocating for the longest passwords possible, made from any words you like and left alone until there was a reason to change them," she writes.

Now, the new NIST guidelines rely on longer passwords to avoid computer hacking. "The good news is that Mr. Burr's old memo has been discarded and the NIST has published new Digital Identity Guidelines," writes Palmer. "The bad news is that it is going to take quite a while for these new guidelines to become widely adopted." Factors hindering adherence to the new guidelines include site limitations of passwords to 8 to 12 characters, and requirements for a special character, capital and number.