The National Institute of Standards and Technology (NIST), the federal agency responsible for setting technology standards for government bodies, standards organizations, and private companies, has proposed eliminating some of the most confusing and counterproductive password policies. Among the key changes: ending mandatory password resets, restricting the use of certain characters, and discontinuing security questions.
Creating strong, secure passwords and managing them effectively is one of the most difficult aspects of cybersecurity. This task becomes even more complicated with the password rules enforced by employers, federal agencies, and online service providers. While these rules are meant to improve security, they often have the opposite effect. Despite this, such requirements are still widely imposed.
NIST published the second public draft of its updated Digital Identity Guidelines, known as SP 800-63-4. This 35,000-word document, dense with technical language and bureaucracy, outlines both the mandatory technical requirements and recommended best practices for authenticating digital identities. Any organization that deals with the federal government online must comply with these standards.
A section focusing on passwords introduces several much-needed, sensible changes to traditional policies. One notable update is the removal of the requirement for users to regularly change their passwords. This policy originated decades ago when password security was poorly understood and is outdated. Back then, people often used easily guessed names and dictionary words as passwords.
Currently, services typically require more robust, randomly generated passwords or passphrases. When such strong passwords are in use, forcing users to change them every few months can weaken security. The additional burden leads users to create simpler, easier-to-remember passwords.
Another problematic rule is the requirement to use specific characters, like numbers, special characters, and both uppercase and lowercase letters. When passwords are sufficiently long and random, these character requirements add no real security benefit. Such rules can push users to choose weaker passwords.
