We always hear that it is recommended to change passwords regularly to prevent hacks and protect our personal information, especially in a world where data breaches are on the rise. When large companies and online services are attacked and millions of credentials are exposed, consumers are vulnerable. Changing passwords periodically and keeping them updated is one of the best ways to keep our accounts safe and prevent them from falling into the hands of hackers.
However, constantly changing passwords may not always be the best strategy. Experts from the North American Institute of Technology and Standards (NIST) have updated their guidelines for ensuring password security, removing the recommendation to change them periodically, as users could create the opposite effect by increasingly searching for less secure password options.
Passwords are codes made up of a series of characters that users create in secret. In this sense, to guarantee the security of these keys, experts generally recommend that they reach a certain length and combine letters, numbers, symbols, uppercase and lowercase letters, and also indicate the need to change them from time to time to prevent them. Without breaking them in case of filtration.
These types of guidelines have been recommended in recent years as reliable security measures, however, an American organization dedicated to establishing technical standards for public and private organizations has canceled some of these recommendations in the latest public draft of a guideline document on digital identity.
Specifically, one of these fixes revises the recommendation to change passwords periodically. According to NIST details in the Password Authenticators section, Content Security Policies (CSPs) and verifiers “do not require users” to implement this recommendation, unless there is evidence that “the authenticator has been compromised.”
We generate worse passwords
That’s because, as the company explains, users generate simple passwords they can remember when they have to change them on a regular basis. This makes it less resistant to cyberattacks and data leaks.
On the other hand, NIST experts also mentioned the recommendation of using different types of characters in the same password. In this regard, it is detailed that verifiers and CSPs “shall not impose other compositional rules” for passwords.
Although these composition rules are used to increase the difficulty of guessing user-chosen passwords, “recent research has shown that users respond in highly predictable ways to the requirements imposed by composition rules.”
As they point out, these rules only cause changes like introducing a completely predictable number or symbol to cybercriminals. For example, a user who selects the word ‘password’ as a password is likely to select ‘password1’ if asked to include an “uppercase letter and a number or ‘password1!'” if a symbol is also required.
“Analysis of breached password databases reveals that the benefit of such rules is less significant than initially thought, and the effects on usability and memory are severe,” NIST said.
Tips for improving password security
Despite these changes in recommendations, experts maintain other guidelines such as reaching an appropriate character length when creating a password to increase difficulty.
Specifically, the agency detailed that verifiers and CSPs “must have passwords at least eight characters long,” but suggested that to guarantee security, passwords should be at least 15 characters long. However, they state that the recommended maximum length for passwords is 64 characters.
