Forcing users to periodically change their passwords should go the way of the dodo according to the US government
Passwords are a pain. Just when you've got one fully committed to memory, chances are your workplace will force you to throw it away and make a new one, in the name of cybersecurity—and if you're anything like me, you'll spend the next few weeks typing in the old one out of habit. Of course, you should be using a good password manager to keep track, but even then it's an irritant.
The National Institute of Standards and Technology (NIST) has released the latest version of its Digital Identity Guidelines, and (rather fittingly) it's more fiendishly complicated to read than a particularly secure password sequence (via Ars Technica).
Amid the incredibly dry wording, however, is a rule barring the requirement that users periodically change their passwords.
The NIST is a US federal body that sets the digital standards for governmental agencies, standards organisations and private companies, so when it speaks, plenty listen. As a result, we could finally see our passwords lasting longer for a variety of services, giving us plenty of mental headspace to remember important things like sports scores, and the names of those who have wronged us in the past.
Essentially, the reasoning here seems to be thus: If users are forced to change complicated passwords frequently, they have a tendency to create simpler and simpler versions to make them easier to remember.
Given that most people don't use a password manager (and this is the point where I'm contractually obliged to glare at you disapprovingly), what was originally "Fl00fyl1ttlekittens#84753j4X))-B" gradually becomes "Floofylittlekittens8", as it's easier to remember—and eventually, "cat12345".
If that happens to be your actual password, I hope I made your stomach drop in terror.
If you're in the market for a password manager, I have a few recommendations for the ones we use regularly on the team. There's Bitwarden and Proton Pass. Both are open source, easy to use, and come from respectable organisations. Bitwarden is the best for raw functionality, though it's not the prettiest, while Proton Pass is great if you already have a Proton Mail account.
There's similar thinking behind the removal of a rule requiring you to add in special characters. Forcing users to think up a difficult to remember sequence essentially encourages them over time to become lazy with their choices, making the passwords gradually easier to crack overall.
The now-standard eight character length minimum requirement is still there, of course, along with a suggestion that fifteen characters in length "should" be a minimum in many circumstances. Seems a little excessive that, but hey, it's a dangerous cyber-world out there.
So, will we see these new password rules implemented any time soon? Well, unless you're a US government worker, I doubt it'll be a quick switchover. Large private organisations often take some time to change, especially when it comes to security infrastructure. Plus, in this case, there's a cultural element of overturning the long-held belief that frequent password changes make things safer for us all.
Still, anything that makes workplace security simpler and safer is fine by me. Shall I use this last line to reiterate that you should be using a password manager, just for good measure? Done and done.