How much do you know about passwords? You might believe password authentication is old hat, and that you already know the best practices for implementing them. After all, we’ve heard password hygiene messages for years, right?

But unless you’ve updated your knowledge recently, you might be in for a few surprises.

The National Institute of Standards and Technology released Special Publication 800-63B: Digital Identity Guidelines — the newest set of guidelines — in mid-2017. Contained within this lengthy government document are dramatic changes in the way the security community thinks about passwords. Take a look at a few prevailing opinions about password security and see whether they are fact or fallacy under this revised guidance.

Fallacy: Users Should Be Forced to Change Passwords Regularly

“Change your password every 180 days (or sooner).” 

That’s the mantra security teams have preached for decades. Most K–12 systems have policies that allow students to retain their passwords indefinitely but require faculty and staff to change their passwords periodically. Those prompts are the bane of teachers and administrators alike, who must memorize new passwords, and IT staff, who have to field complaints about the policy and help users who forget their new passwords.

This guidance is now old news. NIST’s current recommendation is that organizations should no longer require users to change passwords. The thinking is that this encourages other bad practices, such as writing down passwords or reusing passwords across security domains. Schools should only force a change when they have reason to believe a user’s password has been compromised.

Fact: Multifactor Authentication Reduces Password Risks

Multifactor authentication techniques dramatically enhance the security of the login process by requiring that users not only memorize passwords, but also prove that they have possession of a physical item (such as an authentication token) or submit to biometric scanning (such as fingerprint recognition).