The agency that develops information security standards for the U.S. federal government is recommending significant changes to password guidelines, essentially reversing some long-held best practices.

Changes to the Digital Identity Guidelines are managed by officials at the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce.

While NIST standards are not binding – except on federal, non-military agencies – the guidelines are frequently looked to by private-sector professionals as best practices for creating security policies for businesses and other organizations.

The full draft report is available at NIST, but in an article for VentureBeat.com, information security expert Slava Gomzin said the new rules call for relying less on frequent password changes and more on encouraging use of longer, irregular passwords.  

1. End periodic password changes: It wasn’t all that long ago that virtually every organization would prompt users to change their passwords every three months.

But there’s long been debate about whether such policies do more harm than good, since employees will often try to make those passwords too simple in an effort to make them easier to remember.

Other times, users will write them down raising other security issues.

The new guidelines indicate that government experts have come down on the side of deeming frequent password changes as more trouble than they’re worth – not to mention less secure.

2. Dump rudimentary password complexity restriction: This is aimed at the basketball fan who loves Michael Jordan and regularly uses “chicagobulls23” as their favorite password.

Security software can impose complexity rules that require every password also have an upper-case letter and a symbol, for instance.

But the government research found that changing the above Jordan fan’s password to “ChicagoBulls23!” offers only a slight modicum of additional complexity and could actually provide a false sense of security. 

3. Do stringent new password validation: Using this security feature, every password is compared against lists of overused or previously compromised passwords.

“Users will be prevented from setting passwords like ‘password,’ ‘12345678,’ etc., which hackers can easily guess,” Gomzin wrote in the VentureBeat piece.

In a world of ideal password security, administrators should aim to set validation criteria to require long, random and complicated expressions. 

“Serious passwords these days are long — think 16 characters or more — and have a pattern that is not likely to be guessed even by the cleverest of tools,” according to an article in Computerworld.com.

A truly strong password, that piece suggests, looks something like: “j0MxmoNnEUg9JIflizGU.”

Send tips and news to [email protected].