This week’s updated advice from the US National Institute of Standards and Technology (NIST), which sets the policies expected for organisations interacting with the US government, reflects a growing consensus that it is significantly safer and easier for people just to use one simple password, that’s a little longer with no special characters, for each account. Phew, that’s a relief to this grey-haired forgetful brain!

Guidance from the US National Institute of Standards and Technology says organisations “shall not require users to change passwords periodically”.

The usefulness of “P@5sw0rd2”, or whatever string of text currently lets you access your work computer, might soon be coming to an end. And, for once, it’s not because your company’s security policy means that it’s now time to change it to P@5sw0rd3.

Instead, it’s because the US government is joining security experts around the world in begging organisations to stop requiring employees to use passwords that contain special characters — that then also have to be changed every few months.

This week’s updated advice from the US National Institute of Standards and Technology (Nist), which sets the policies expected for organisations interacting with the US government, reflects a growing consensus that it is significantly safer and easier for people just to use one simple password, that’s a little longer.

“I hope this will be a tipping point,” said Angela Sasse, from University College London, who has argued for 25 years that our approach to passwords has been wrong. “There’s been this idea in the security community that if we make something easier, it makes it less secure.”

In fact, she said, the reverse is true. The research of hers and other academics shows that the greater the burden put on people to remember complex passwords, the more they look for shortcuts — and the more likely they are to simply, for instance, increment one digit each time they change it. Or, worse, to write it down.

This reflects, she said, a disconnect between how real humans behave and computer scientists’ ideas of how those humans should behave.

“You can’t ignore actual human capabilities,” said Sasse. “When you use a password, it’s embedded in your memory. After you change it, your memory struggles — the old one is still embedded.” So what adapts is not memory, but the password. “It has been demonstrated with large scale databases that the more often passwords expire, the weaker they get.”

That may now change. Nist’s draft guidance states that organisations “shall not impose other composition rules (e.g. requiring mixtures of different character types) for passwords [and] shall not require users to change passwords periodically”. It recommends, though, that passwords be 15 characters in length.

In doing so, it follows recommendations already in place by the UK’s National Cyber Security Centre. In its password guidance, it says: “Don’t enforce regular password expiry. Regular password changing harms rather than improves security … forcing password expiry carries no real benefits because the user is likely to choose new passwords that are only minor variations of the old.”

Sasse said that the use of special characters, still insisted on by many websites, was a particular annoyance. Partly this is because with touchscreens they are particularly fiddly.

Partly it’s because of the extra cognitive burden. “If people have multiple passwords, they can’t possibly cope with those requirements,” she said. “If we push them to make them complex, in order to keep them memorable, they will use them across different accounts. That’s a much bigger security risk than using a password that is, cryptographically, not so strong.”

Nist’s guidelines hold no sway in the UK, but given the growing consensus of official recommendations, could help legitimise a change in password culture across the internet.

“With Nist changing, the last excuse for not doing this has gone,” said Sasse. “I can’t fathom why it took them so long.”

Tom Whipple, Science Editor

Monday September 30 2024, 7.20am BST, The Times