NIST Calls for the Elimination of Counterproductive Password Policies

Regular password changes or mandatory inclusion of numbers and special characters may be ineffective, while imposing significant burdens.

In late August 2024, the U.S. National Institute of Standards and Technology (NIST) issued new recommendations on digital password hygiene. The standardization body suggested abandoning two counterproductive yet widely used practices: regular password renewal and composition requirements.

Changing a password creates a brief moment of vulnerability, which cybercriminals can exploit. The NIST strongly reiterates that such renewal should only be required in cases of confirmed account or website compromise.

The second recommendation advises against enforcing password composition rules. Requiring users to include an uppercase letter, a number, and/or a special character is intended to make the password harder to guess. However, “research has shown that users respond very predictably to composition rule requirements,” the NIST notes.

For example, a user accustomed to a simple password may just add a “1” and a “!” to meet the complexity criteria, making the new password only marginally harder to guess. Additionally, overly strict composition requirements encourage users to reuse passwords across multiple services.

The advantage of adding a number, symbol, or capital letter is, according to the NIST, “less significant than initially thought.” On the other hand, the negative effects on memorization and usability “are severe.” The best way to secure digital access remains using a password manager, which generates random, complex combinations that the user doesn’t need to memorize.