Bill • November 16, 2021 8:34 AM

The NIST has already advised on passwords, and issued guidelines a couple of years ago — recommending LESS COMPLEX passwords (no rules) in favor of longer passwords.
They cite research indicating that complex passwords are not harder to crack, and are much harder to remember (which is why people write them down, or now use password managers). Longer passwords, on the other hand, can be easy to remember as phrases or strings of words, etc. Longer passwords are harder to crack. //

William Entriken • November 16, 2021 9:27 AM

NIST has published guidelines on what types of passwords should be accepted for login systems. We should promote and share solutions to the problem.

https://pages.nist.gov/800-63-3/sp800-63b.html

Specifically the relevant recommendation here is: Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. //

Usability has a huge impact on how people interact with systems. If you purposely make the experiance different from site to site – users will take shortcuts including making weaker passwords. A common “password standard” would benefit everyone greatly and reduce risk over all. //

mark • March 2, 2023 1:00 PM

And NIST guidelines, as of three years ago, were that you don’t need to change your passwords more than every couple of years.

https://pages.nist.gov/800-63-3/