> The new guidelines recommend use of stronger authentication technologies that can resist phishing attacks, such as passkeys, which allow you to log in without passwords, typically just using your fingerprint or your face. The institute also suggests that websites add block lists of compromised and commonly used passwords that will prevent users from choosing vulnerable options. And companies are now required to let users employ password managers, a move that was previously only recommended by NIST.

Good to hear that they're doing some useful things rather than just cutting out old useless or counter-productive ideas.

> Whether users are using password managers or creating their own passwords, the institute wants systems to allow users to move beyond exclamation points and dollar signs. The guidelines recommend accepting all standard keyboard characters, including spaces, brackets, quotation marks and even characters like emojis.

Although this one is pretty useless. Password length is by far the most important factor and broadening the character set isn't likely to make it easier to remember a long password.

New federal security guidelines are taking sharper aim at the terrible passwords we all create. The guidelines instruct organizations to stop requiring people to change their passwords so often, to stop mandating that they be complex and, at the same time, to permit a wider range of special characters in passwords-including emojis.

In its latest digital-authentication guidelines, the National Institute of Standards and Technology, the federal agency whose security standards shape practices across government and industry, is leaning on organizations to simplify password requirements for users. The draft guidelines-a final version is due in 2025-strengthen many positions the standards institute first took in 2017.

Archived...

https://archive.is/eiEMA