Passwords are difficult. They have to be a certain length, use certain characters, change at certain intervals, and worst of all they have to be memorable. But the NIST Trusted Identities Group thinks that should change.

The new draft version of NIST’s Digital Identity Guidelines (SP 800-63-3) is in the process of being finalized. The sub-publication on Authentication & Lifecycle Management (800-63b) contains some interesting changes to password composition and management. The document uses the term “memorized secrets” to refer to passwords and PINs. Also, as this is still a DRAFT version, it is advisable to wait for the final publication to refer to before changing security policies.