The National Institute of Standards and Technology (NIST) is no longer recommending people periodically change their passwords as part of the organization’s new draft of its Digital Identity Guidelines.
The draft order, Special Publication 800-63-3, makes several changes to what were once commonly believed to be best security practices for passwords—or “memorized secrets,” as the NIST refers to them—including encourages websites and services to no longer require users to arbitrarily change passwords.
Read: World Password Day: How To Create A Secure Password
Under the Authentication and Lifecycle portion of the NIST’s latest guidelines, it advises sites and services to “not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.”
This change runs contrary to what was once considered a necessary security option, especially for sites that hold sensitive information like financial institutions and hospitals.
In recent years, more security experts have come around on the idea that people shouldn’t be required to change their password unless there is clear reason to do, primarily because people just don’t put in the effort to create secure passwords when they know they will have to change it in a few months.
A study conducted by the University of North Carolina at Chapel Hill found that when people are required to change their password regularly, they often use the same pattern with minor transformations. Instead of creating an entirely new password, a person might change number or change a letter into a symbol or add or remove a special character but keep the same base of the password.
Read: Is My Password Secure? How To Change, Make Strong Passcode After A Hack
Even if users were to create unique passwords each and every time they were required to do so, odds are it wouldn’t help much. A study from Carleton University found that changing passwords had minimal effect on preventing hackers from accessing accounts through brute force attacks, meaning the changes inconvenience the user more than the attacker.
In addition to ditching the requirement for regular password changes, the NIST is also advising sites to allow users to create passwords that are at least 64 characters long and include spaces so people can create pass phrases that may be easier to remember and to ditch special character requirements.
This is an idea that many security experts have supported in favor of passwords with special characters that a person wouldn’t normally use. Phrases are more difficult to crack because of the sheer amount of characters and much easier to remember.
Should the draft from the NIST go forward, users should see the ability to use passphrases start to crop up and arbitrary password changes disappear from many sites and services. The NIST, a government organization, sets the standards and best practices used by many private sector entities.