In case you missed it, EPA is yet again changing it's password requirements. This attempt to strengthen security will ultimately reduce security.
As noted security expert Bruce Schneier notes, the National Institutes of Standards and Technology (NIST) recently published its four-volume SP800-63b Digital Identity Guidelines. As Bruce notes, the document "makes three important suggestions when it comes to passwords:
- Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.
- Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.
- Let people use password managers. This is how we deal with all the passwords we need.
And we'll add one to Bruce's list, above. These "complex" passwords require people to write them down to remember them. Typically they'll write them on a note that's left under the keyboard or in an unlocked drawer at their desk so they can pull the note out easily. Having a password that's impossible to remember simply encourages the insecure practice of leaving a written note with ones password in an easily-accessible location.
EPA ignores federal experts and does exactly the opposite of all three NIST recommendations Bruce mentions. OEI's password policy is a "failed attempt to fix the user." As Mr. Schneier notes, "Better we fix the security systems" instead of the user.
Here's OEI's note in its entirety: