NIST is updating its password policies to dispel some persistent myths once and for all.

There are a lot of rules for creating the perfect password. Some of these rules are long outdated, but still apply. NIST, the US government’s standards agency, is therefore dedicated to this purpose Digital Identity Guidelines a section with passwords.

NIST’s guidelines are intended to identify technical requirements and best practices to ensure the validity of online digital identity verification methods. Organizations that communicate with the federal government online must meet the requirements. We do not recommend that you read the document in its entirety. It has around 35,000 words and is packed with technical and bureaucratic jargon.

Do’s and Don’ts for passwords

The chapter on passwords contains some tips that would be very useful for anyone. NIST lists some do’s and don’ts for using passwords, both for personal and business accounts. A distinction is also made, that is, guidelines that are recommended (Should/Shouldn’t)which is a mandatory requirement (Should) and what is absolutely of evil (Shouldn’t).

In the category “Password rules that should disappear as quickly as possible”, NIST includes, among other things, the regular changing of passwords. In fact, it’s an old myth that you should change your passwords every few months.

Research has shown that this ultimately leads to people starting to choose weaker passwords. A password should, with emphasis on “must”, only be changed if there are signs that the password has been compromised, and as quickly as possible.

Another myth that NIST likes to dispel is that requiring certain characters (punctuation, capital letters, numbers, etc.) automatically leads to stronger passwords. The length of a password says much more about its strength. If passwords are long and arbitrary enough, there is no point in requiring or restricting the use of certain characters. A password must have at least eight characters; according to NIST, fifteen characters is the recommended minimum.

The other two Shouldn’tNIST rules include the requirement of a security question, such as: B. “What is the name of your first pet?” and keeping clues about your password in places accessible to unauthenticated people.