by Chester Wisniewski

It’s no secret. We’re really bad at passwords. Nevertheless, they aren’t going away any time soon.

With so many websites and online applications requiring us to create accounts and think up passwords in a hurry, it’s no wonder so many of us struggle to follow the advice of so-called password security experts.

At the same time, the computing power available for password cracking just gets bigger and bigger.

OK, so I started with the bad news, but this cloud does have a silver lining.

It doesn’t need to be as hard as we make it and the government is here to help.

That’s right, the United States National Institute for Standards and Technology (NIST) is formulating new guidelines for password policies to be used in the whole of the US government (the public sector).

Why is this important? Because the policies are sensible and a great template for all of us to use within our own organizations and application development programs.

Anyone interested in the draft specification for Special Publication 800-63-3: Digital Authentication Guidelines can review it as it evolves over on Github or in a more accessible form on NIST’s website.

For a more human approach, security researcher Jim Fenton did a presentation earlier this month at the PasswordsCon event in Las Vegas that sums up the changes nicely.

To see what is new click here