Less Password Drama, Better Security Karma – Ep 534 

If you’ve ever wanted to throw your laptop out the window after yet another “Your password must include a hieroglyph and a drop of unicorn blood” message, you’re not alone. In this episode, we tackle the chaotic circus that is password creation: the rules, the myths, and the mounting frustration of trying to remember if this is the account that wanted a number, a symbol, or your firstborn’s dental records. From the rise of passkeys to the surprising sanity of NIST’s latest guidance (finally!), we explore how security might actually be getting smarter and less likely to make you cry into your keyboard.

In this episode:

Less Password Drama, Better Security Karma – Ep 534

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Hoag Hospital in Newport Beach targeted in swatting call

Swatting suspected after false shooting call at Hoag Hospit…

Trina Bean thanks for sharing.

Less Password Drama, Better Security Karma

Your passwords don’t need so many fiddly characters, NIST says | Malwarebytes

NIST Special Publication 800-63B

NIST Special Publication 800-63B – Appendix A for passwords

Overview:

• • Part 1: What NIST means by Authentication Assurance Levels (AAL).
  • Part 2: What the appendix says about passwords — or as we like to call them, the love-hate relationship of cybersecurity.
  • Part 3: What comes next — passkeys and the move toward passwordless authentication.

Part 1: Authentication Assurance Levels — “How sure are we it’s you?”

• Definition: AAL = how much confidence we have that the person logging in is who they claim to be.
• Quick rundown:
  • AAL1: Basic. Single factor (just a password, OTP, etc).
  • AAL2: Stronger. Two different factors (password + authenticator app or hardware key).
  • AAL3: Highest. Phishing-resistant, cryptographic authenticators – like FIDO2 hardware keys or smart cards.

Part 2: The Password Appendix – “Why the old rules don’t work anymore”

• NIST’s guidance shifts away from complexity rules and frequent resets toward long, unique, human-friendly passwords (or passphrases).
• Highlights:
  • Minimum length: 15 characters for single-factor authentication; no mandatory complexity.
  • Periodic resets: Only when there’s evidence of compromise.
  • Allow spaces, Unicode, and long passphrases.
  • Block known breached passwords.
• Why this matters for healthcare: reduces user friction and password reuse – two major risk factors in HIPAA breaches.

Length and complexity requirements beyond those recommended here significantly increase user frustration and the difficulty of using passwords. As a result, users often work around these restrictions counterproductively.

Part 3: Passkeys & Passwordless — “The future of logging in (and why it’s not sci-fi anymore)”

• Passkeys are the next evolution — based on public-key cryptography and aligned with AAL3 authentication strength.
  • Instead of typing a password, your device holds a cryptographic key pair — one public, one private.
  • You unlock it with something you are (fingerprint, face, PIN) or have (your phone, hardware key).
  • It’s phishing-resistant — your key only works with the legitimate site or app.
• Passwordless means you authenticate using passkeys, hardware tokens, or biometrics — no memorized secret at all.
• NIST’s direction: SP 800-63B Rev 4 explicitly supports these stronger authenticators as the path forward.
• Benefits for listeners (especially healthcare & privacy folks):
  • Eliminates password fatigue.
  • Stronger security with less human error.
  • Easier to align with higher AALs without overcomplicating user experience.

As the digital dust settles, one thing’s clear: your password shouldn’t require a decoder ring and a blood oath. With passkeys on the rise, smarter authentication levels, and the slow death of absurd complexity rules, we’re finally inching toward security that doesn’t make us hate technology. So keep those passwords long, your MFA turned on, and your sarcasm password-protected.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.