According to the US government, forcing users to change their passwords periodically should be a thing of the past.

Passwords can be a hassle. You'll find that your workplace will make you change your passwords in the name of security, just when you have it memorized. If you're like me, then you'll be typing in the old password out of habit for the next few weeks. You should use a password manager to keep track of them, but it's still annoying.

The National Institute of Standards and Technology has released its latest version of Digital Identity Guidelines. It's (as expected) more difficult to read than any password sequence. (Via Ars Technica).

The incredibly dry language is offset by a rule that prohibits the requirement for users to change their passwords on a regular basis.

NIST is an American federal agency that sets digital standards for government agencies, standards organizations and private companies. So when it speaks, many listen. We could see our passwords last longer for a wide range of services. This will give us more mental space to remember important things, like sports scores and names of people who have wronged you in the past.

The reasoning behind this seems to be that if users are constantly forced to change complex passwords, they will create simpler and easier versions in order to make them easier for them to remember.

Given that most people don't use a password manager (and this is the point where I'm contractually obliged to glare at you disapprovingly), what was originally "Fl00fyl1ttlekittens#84753j4X))-B" gradually becomes "Floofylittlekittens8", as it's easier to remember--and eventually, "cat12345".

If you have a password that is not yours, I hope it makes you frightened.

If you are looking for a password manager to use, I can recommend a few that we use on a regular basis. Bitwarden and Proton Pass are two options. Both are open-source, easy to use and come from reputable organisations. Bitwarden has the best raw functionality but isn't the prettiest. Proton Pass, on the other hand, is great if your Proton Mail account is already active.

The reasoning behind the removal of the rule that required you to include special characters is similar. Forcing users into creating a difficult-to-remember sequence encourages them to become lazy over time, making passwords easier to crack.

It is still the standard eight-character minimum requirement, but there is also a suggestion that 15 characters "should" be the minimum in most circumstances. It seems a bit excessive, but it's a very dangerous cyber-world.

Will we see the new password rules implemented anytime soon? Well, unless you work for the US government, I doubt that it will be a quick changeover. It can take a while for large private organisations to make the switch, especially if it involves security infrastructure. In this case, it's also a cultural issue to change the long-held belief in frequent password changes.

I'm happy with anything that makes workplace safety easier and safer. Just to be sure, shall I repeat in this last sentence that you should use a password manager? It's done.