It is interesting to see the changes that the USA National Institute of Standards and Technology (NIST) is making changes to its guidelines for password best practices.  When NIST published its first guidelines in 2017, best practices included requiring users passwords to include upper and lower case, numbers and special characters such as @#$%.  This was so that the password would be more complex and harder to guess.  It also recommended requiring users to change passwords every 60 or 90 days.

NIST is dropping both those recommendations.  Their argument is that humans have trouble remembering passwords with lots of special characters in them, so in practice, people have either been writing down their passwords or choosing passwords that comply to the complexity requirement but are still fairly easy to guess or crack.

Instead, NIST is now focussing on requiring longer passwords, preferably at least 16 characters.  The longer the password, the harder it is for a human to guess or a machine to crack.

Of course, an even better solution is to not use passwords at all because humans are crap at passwords!  I.e. use passwordless login techniques such as an authentication app on your phone.

Article: NIST Drops Password Complexity, Mandatory Reset Rules

#cybersecurity #cyber #smallbusiness