If you were told or forced to set up a so-called "strong password" which required to be determined as complex (must consist of combination of uppercase letters, lowercase letters, numbers, special characters, and so on...) just to safeguard your user account from password guessing, peeping, and/or brute-force attack, the policy is outdated and should be obsoleted as soon as possible.
If you were also told or forced to change your password periodically, let's say every month or so, that thinking also has been admitted by certain cybersecurity experts to be foolish and will not make your account more secured.
Indeed, it only serves to make your life more difficult, and makes your account much more vulnerable if you eventually did either one of the following attempts to help remembering your latest password:
- Write your latest password on Post-It notes or inside your diary book.
- Tape your password somewhere near your computer (similar way to what character Nolan Sorrento in movie Ready Player One did).
- Keep your password in a computer file (text, Word, Excel, ...), either password protected or not.
- Store it with your web browser's auto-complete feature.
Interestingly, it is also NIST who has overthrown its own password guidelines in its recent NIST Special Publication 800-63A report namely "Digital Identity Guidelines: Enrollment and Identity Proofing Requirements." released in June 2017. You can download the complete report here for free.
The new report has made the following important suggestions:
- Verifier SHOULD NOT impose annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. They make most people remembering password by Post-It notes or computer file. It's better to allow people to use pass phrases.
- Verifier SHOULD NOT bother user with password expiration. That was an old idea for an old way we used computers. Only force a password change when there's indication of compromise.
- SHOULD use dual factor authentication (2FA). This is the proven to be the more robust and secure way.
The account holder need to read the OTP from a token, and use it for successful account login. The token can be generated from a hardware device such as key fob, display card, USB authentication key, OCRA keypad, etc. It can also be generated and delivered to the account holder by software, in the form of SMS, email, mobile app display, push app notification, etc.
Note that the use of SMS or email for OTP is also outdated method which is vulnerable to trojan horse interceptions and/or malicious software crack-in. You can search the Internet for the following keywords to read more about how insecure to use SMS for OTP:
- ZeuS-in-the-Mobile (ZitMo)
- SpyEye-in-the-Mobile (SPITMO)
- Android.Bankosy
Therefore, all organizations should update their password policy for all users to be:
- Use pass phrases instead of password
- Use dual factor authentication with secure token (avoid using the outdated SMS or email method)