The US government wants to cut out some of its weirdest password rules

Shadowed hands on a digital background reaching for a login prompt.
Image Credit: Shutterstock (Image credit: Shutterstock)

The National Institute of Standards and Technology (NIST) has decided it is time to bin some of the oldest, frustrating, and strange password requirements for the US government.

Among the requirements NIST is looking to do away with are mandatory resets, security questions and the use of certain characters when crafting a secure password.

Good cybersecurity hygiene demands the use of unique and complex passwords to ensure the highest level of security, but if you aren’t using one of the best password managers they can be a pain to remember.

See ya later, @ll1g4t0r

Included in the incomprehensibly huge SP 800-63-4 document released by NIST that lays the compliance groundwork for organizations that interact with the federal government, the agency has removed the need for organizations to enforce a periodic password change policy. Changing passwords regularly was originally brought in as a rule to combat password leaks in the thinking that if a password is leaked and then changed, the old credentials will no longer work if used by an attacker.

The downside of course was that people began using easily memorized passwords of a single word, and then just changing the special characters or increasing the numbers on the end by one (We’ve all done it). Password generators have rendered this practice almost obsolete, as the desired length, special characters, and complexity can be determined by the user to comply with any organizational demands.

The requirement of special characters has also been removed by NIST, and password will no longer need to include some kind of combination of lowercase and uppercase characters, along with special characters. Obviously, NIST has included a clause that states if there is any evidence a credential could have been compromised, then organizations should force a password change.

Additionally, knowledge-based authentication such as memorable places and security questions are to be banned from use. No longer will those interacting with the federal government be forced to remember the name of their first pet or a sibling's middle name in order to reset a password. The SP 800-63-4 Digital Identity Guidelines document is only in its second draft, and is therefore subject to change, but it is a signal that password practices could be about to change for the better.

Via ArsTechnica

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Read more
password manager
I'm a security expert - here are my biggest tips for creating a secure password for work and home life to stay safe online
Young woman working at a coffee shop with a laptop
Too many passwords, not enough brain space? Here’s how password managers can improve your life
Cartoon Phishing
Over a billion credentials stolen were stolen in malware attacks in 2024
Person using finger print authentication
Passwords out, passkeys in: The future of secure authentication
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Passwordless authentication continues to grow, with biometrics helping push adoption
Chrome 90 Browser for iOS
Google Chrome might soon use AI to make you a better password
Latest in Pro
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Context Windows
Why are AI context windows important?
BERT
What is BERT, and why should we care?
A person holding out their hand with a digital AI symbol.
AI is booming — but are businesses seeing real impact?
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
Latest in News
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
Nintendo Virtual Game Card
Nintendo reveals the new Virtual Game Card feature, an easier way to manage your digital Switch games