Shata Stucky writes:

Username and password login fields, online securityThe United States National Institute for Standards and Technology (NIST) has issued new guidelines for creating secure passwords.  NIST guidelines, which are directed to “federal government systems,” often become best practice recommendations across the security industry.

The new guidelines are a significant break from previous rules.  Security experts previously recommended frequent password changes and using a mixture of upper case letters, symbols, and numbers.  The NIST guidelines acknowledge that users often work around these types of restrictions in a way that is counterproductive.  The most effective passwords are those that are easy for the user to remember so that it is less likely they will be written down or stored electronically in an unsafe manner.

Accordingly, NIST recommends dropping complexity requirements and requirements for frequent password changes.  Instead organizations should emphasize password length:  Passwords should be at least 8 characters in length, and users should be allowed a maximum length of at least 64 characters.

Additional recommendations can be found in the NIST guidelines, accessible on the NIST’s website.

Shata L. Stucky is an associate in the firm’s Privacy & Data Security practice, resident in its Seattle office.