Using a variety of character types in your passwords and changing them on a regular basis are no longer considered best practices for password management.
This is according to new standards published by the United States National Institute of Standards and Technology, which develops and publishes guidelines to assist organisations in safeguarding their information systems.
The new guidelines were published in September 2024 as part of NIST's second public draft of SP 800-63-4, the most recent iteration of its Digital Identity guidelines.
Change in password recommendations
Over the years, conventional wisdom recommended having complex passwords that included upper and lower case characters, numbers, and symbols. This complexity was intended to make passwords difficult to guess or crack using brute force assaults.
However, these complex requirements frequently resulted in users developing bad habits, such as repeating passwords or selecting too basic ones that barely fit the rules, such as "P@ssw0rd123." Over time, NIST discovered that this emphasis on complexity was counterproductive, compromising security in practice.
In its most recent guidelines, NIST has shifted away from enforcing complexity limits and towards encouraging longer passwords. There are a number of causes for this shift:
Customer behaviour
According to research, users frequently fail to remember complicated passwords, prompting them to reuse passwords across several sites or rely on easily guessable patterns, such as substituting letters with similar-looking numbers or symbols.
The necessity by many organisations to change your password every sixty to ninety days—a practice that NIST no longer advises—further encouraged this behaviour.
Password entropy
Password strength is frequently tested using entropy, a measure of unpredictability. In other words, the total number of possible password combinations. The greater the number of potential options, or entropy, the more difficult it is for cybercriminals to crack the password using brute-force or guessing techniques.
While complexity can contribute to entropy, length has a far greater impact. A lengthier password with more characters offers an exponentially greater number of possible combinations, making it more difficult for attackers to guess, even if the characters are simple.
Human element
Long passwords that are easy to remember, such as passphrases composed of multiple basic words. For example, "big dog small rat fast cat purple hat jelly bat" in password form is "bigdogsmallratfastcatpurplehatjellobat" without the spaces, which is both secure and user-friendly.
A password like this provides a balance between high entropy and convenience of use, preventing users from engaging in risky behaviours such as writing down passwords or reusing them.
