Someone was just asking me for the actual NIST link/resource/verbiage that killed 20 years of painful password complexity and expiration. Here it is again, buried in 300 pages. https://t.co/zkdyaTyYL1 pic.twitter.com/7GryX9C7ui

— Lance Spitzner (@lspitzner) December 16, 2019

All that was always crap anyway, and when I pushed back against it during the past 10 years at places I’ve worked, have been told that I was wrong and doing anything that actually made sense would be insecure.

But I was right; just most people want to be told what to think by “experts,” even when the experts are really not.

I always said that users would just write their passwords down and put them under their keyboards or in their desk drawers, which is exactly what happens. Passwords are terrible, anyway, but all the alternatives are also pretty bad. We’ll be stuck with them for a while. However, combined with MFA they can be made pretty secure.