The latest draft version of NIST's password guidelines simplifies password management best practices and removes recommendations for using complex passwords and mandatory periodic resets.
The National Institute of Standards and Technology (NIST) proposes eliminating some common but ineffective password requirements like periodic changes and restrictions on character types to improve overall security hygiene.
"The latest NIST guidelines now state that:
Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords and
Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."
"The latest NIST guidelines now state that:
Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords and
Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."
