Hints and Knowledge-Based Authentication


Password hints are a bad idea. There’s no real advantage to allowing the user to enter a password hint as a reminder. The same effect can be achieved by a password reset without giving a bad actor the opportunity to work out the password.

Knowledge-based authentication is also dangerous: it’s not hard for bad actors to discover a user’s mother’s maiden name or where they went to high school.

Both strategies are intended to reduce the burden on a company’s customer support, but they expose users to unnecessary risk.

Check Against Existing Password Dictionaries

This one is common sense, but almost never done. Hackers know which passwords people are most likely to choose. When hacking a user account they use dictionaries of common passwords as a starting point. Rejecting passwords identical to the most common passwords found in leaked password databases would go a long way to making users more secure.

Users will find this frustrating, but occasionally it’s necessary to put security above convenience.

Don’t Force Password Expiry

Many companies force users to choose a new password after a predetermined period. Intuitively, this is an appealing measure, but in practice it does little to improve security.

Frequent password expiry often leads to users simply adding an incrementing number to the end of their password or choosing simple passwords so they don’t have to frequently commit a new complex password to memory.

The Federal Trade Commission weighed in on this topic earlier in the year, advising that frequent password expiry was counter-productive.

If an account isn’t compromised, there’s no benefit to changing the password. If it is compromised, changing the password doesn’t go far enough, because it can’t be guaranteed that malware hasn’t been installed.

Password Composition


This is probably the most common practice NIST argues against. Many services advise users to choose passwords with a specified minimum of capital letters, numerical characters, and special characters like punctuation.

In theory, this makes users choose passwords that are harder to guess. In practice, they choose passwords that meet the minimum requirements. NIST wants password advice to focus on password length, rather than composition. Choosing a strong password can save a lot of hassle in the long run.

There’s been a fair bit of controversy surrounding some of the advice given by NIST. Let us know what you think in the comments .