The days of over-complicated, hard-to-remember passwords may soon be over.
In its new Digital Identity Guidelines, the US National Institute of Standards and Technology (NIST) is calling for the elimination of dated standards, such as requiring people to frequently change their passwords or mandating that they use particular types of characters. The guidelines, which are in the process of final edits, help set the standard for both governments and businesses.
Because humans only have a limited ability to memorise complicated strings of characters, they usually come up with ones that can be guessed easily, NIST noted in the new guidelines. In response, online services have forced users to come up with increasingly complex passwords.
“[They] require the user to choose passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol,” NIST writes. “However, analyses of breached password databases reveals that the benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe.”
In other words, previous guidelines have resulted in passwords that are harder for humans to remember while making them no more difficult for computers to guess.
These antiquated guidelines have led to the rise of password management services, such as LastPass and 1Password, which keep track of users’ passwords so they don’t have to struggle to remember them.
NIST’s new guidelines call for an end to the special character requirements, and will instead urge online services to allow for longer passwords — up to 64 characters — that can include spaces. Random strings of words are easier for humans to recall but more difficult for computers to guess.
The new guidelines also call for an end to periodic password changes, as users who are forced to switch their passwords generally end up selecting simple ones that are easier to remember.
When the final standards are published they will apply only to government agencies and contractors, according to a report in Quartz. But they will likely be widely adopted in the private sector, the report noted.
Business Insider Emails & Alerts
Site highlights each day to your inbox.