New NIST guidelines for password security and authentication methods. Gets rid of many old password anti-patterns in favor of encouraging user-friendlier, simpler, but longer passwords. Recommends passwords have a minimum length of 8 characters (6 for numeric PINs), and allow pass-phrases up to *at least* 64 characters long. I’d probably want to go with 128 chars or more (after all, it will end up being cryptographically hashed before storage, anyways, so the length of the user’s original password is mostly irrelevant), but this is definitely a welcome improvement over all the bad “8-12 characters, with a mix of lowercase, uppercase, numbers, and special characters, except not *these* characters, and by the way you’ll have to change it in 90 days” patterns.

They also include recommendations for OTP (One-Time Password) and multi-factor authentication systems. Dry reading, but I hope that many organizations will start to follow these recs and get rid of current bad password practices.

NIST Special Publication 800-63B