Direction from the U.S. Commerce Department’s National Institute of Standards and Technology (NIST) is only binding on federal agencies but the guidelines are frequently looked to by private-sector security professionals as best practices for creating information security policies.

Aldrin Brown, Editor-in-Chief

April 25, 2017

2 Min Read
New Guidelines End Frequent Password Changes

The agency that develops information security standards for the U.S. federal government is recommending significant changes to password guidelines, essentially reversing some long-held best practices.

Changes to the Digital Identity Guidelines are managed by officials at the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce.

While NIST standards are not binding – except on federal, non-military agencies – the guidelines are frequently looked to by private-sector professionals as best practices for creating security policies for businesses and other organizations.

The full draft report is available at NIST, but in an article for, information security expert Slava Gomzin said the new rules call for relying less on frequent password changes and more on encouraging use of longer, irregular passwords.  

1. End periodic password changes: It wasn’t all that long ago that virtually every organization would prompt users to change their passwords every three months.

But there’s long been debate about whether such policies do more harm than good, since employees will often try to make those passwords too simple in an effort to make them easier to remember.

Other times, users will write them down raising other security issues.

The new guidelines indicate that government experts have come down on the side of deeming frequent password changes as more trouble than they’re worth – not to mention less secure.

2. Dump rudimentary password complexity restriction: This is aimed at the basketball fan who loves Michael Jordan and regularly uses “chicagobulls23” as their favorite password.

Security software can impose complexity rules that require every password also have an upper-case letter and a symbol, for instance.

But the government research found that changing the above Jordan fan’s password to “ChicagoBulls23!” offers only a slight modicum of additional complexity and could actually provide a false sense of security. 

3. Do stringent new password validation: Using this security feature, every password is compared against lists of overused or previously compromised passwords.

“Users will be prevented from setting passwords like ‘password,’ ‘12345678,’ etc., which hackers can easily guess,” Gomzin wrote in the VentureBeat piece.

In a world of ideal password security, administrators should aim to set validation criteria to require long, random and complicated expressions. 

“Serious passwords these days are long — think 16 characters or more — and have a pattern that is not likely to be guessed even by the cleverest of tools,” according to an article in

A truly strong password, that piece suggests, looks something like: “j0MxmoNnEUg9JIflizGU.”


Send tips and news to [email protected].

Read more about:


About the Author(s)

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.


Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like