Forcing users to periodically change their passwords should go the way of the dodo according to the US government

Computer code and text displayed on computer screens. Photographer: Chris Ratcliffe/Bloomberg
(Image credit: Chris Ratcliffe/Bloomberg via Getty Images)

Passwords are a pain. Just when you've got one fully committed to memory, chances are your workplace will force you to throw it away and make a new one, in the name of cybersecurity—and if you're anything like me, you'll spend the next few weeks typing in the old one out of habit. Of course, you should be using a good password manager to keep track, but even then it's an irritant.

The National Institute of Standards and Technology (NIST) has released the latest version of its Digital Identity Guidelines, and (rather fittingly) it's more fiendishly complicated to read than a particularly secure password sequence (via Ars Technica). 

Amid the incredibly dry wording, however, is a rule barring the requirement that users periodically change their passwords.

The NIST is a US federal body that sets the digital standards for governmental agencies, standards organisations and private companies, so when it speaks, plenty listen. As a result, we could finally see our passwords lasting longer for a variety of services, giving us plenty of mental headspace to remember important things like sports scores, and the names of those who have wronged us in the past.

Essentially, the reasoning here seems to be thus: If users are forced to change complicated passwords frequently, they have a tendency to create simpler and simpler versions to make them easier to remember. 

Given that most people don't use a password manager (and this is the point where I'm contractually obliged to glare at you disapprovingly), what was originally "Fl00fyl1ttlekittens#84753j4X))-B" gradually becomes "Floofylittlekittens8", as it's easier to remember—and eventually, "cat12345". 

If that happens to be your actual password, I hope I made your stomach drop in terror.

If you're in the market for a password manager, I have a few recommendations for the ones we use regularly on the team. There's Bitwarden and Proton Pass. Both are open source, easy to use, and come from respectable organisations. Bitwarden is the best for raw functionality, though it's not the prettiest, while Proton Pass is great if you already have a Proton Mail account.

There's similar thinking behind the removal of a rule requiring you to add in special characters. Forcing users to think up a difficult to remember sequence essentially encourages them over time to become lazy with their choices, making the passwords gradually easier to crack overall.

The now-standard eight character length minimum requirement is still there, of course, along with a suggestion that fifteen characters in length "should" be a minimum in many circumstances. Seems a little excessive that, but hey, it's a dangerous cyber-world out there.

So, will we see these new password rules implemented any time soon? Well, unless you're a US government worker, I doubt it'll be a quick switchover. Large private organisations often take some time to change, especially when it comes to security infrastructure. Plus, in this case, there's a cultural element of overturning the long-held belief that frequent password changes make things safer for us all.

Still, anything that makes workplace security simpler and safer is fine by me. Shall I use this last line to reiterate that you should be using a password manager, just for good measure? Done and done.

Best CPU for gamingBest gaming motherboardBest graphics cardBest SSD for gaming


Best CPU for gaming: Top chips from Intel and AMD.
Best gaming motherboard: The right boards.
Best graphics card: Your perfect pixel-pusher awaits.
Best SSD for gaming: Get into the game first.

Andy Edser
Hardware Writer

Andy built his first gaming PC at the tender age of 12, when IDE cables were a thing and high resolution wasn't—and he hasn't stopped since. Now working as a hardware writer for PC Gamer, Andy's been jumping around the world attending product launches and trade shows, all the while reviewing every bit of PC hardware he can get his hands on. You name it, if it's interesting hardware he'll write words about it, with opinions and everything.

Read more
Kinzie, in an FBI jacket, uses a computer with the logo of the Third Street Saints on it
Have I Been Pwned adds over 284 million compromised passwords from latest breach
Mozilla Firefox logo with an artistic outline of a phone
Firefox is getting rid of its 'Do Not Track' setting and what it's being replaced with is a bit of a bait and switch for privacy concerns
Retro 1990s style beige desktop PC computer and monitor screen and keyboard. 3D illustration.
Microsoft nixes details of its Windows 11 TPM 2.0 security bypass though there are still other ways of getting the latest OS on 'unsupported' hardware
Review bombing.
The PlayStation Network outage proves PC gamers were right to resist its mandatory sign-in requirement
woman using pc
9 Windows 11 settings we recommend changing
A close-up view of the battery life indicator in Windows 11
Color-coded battery icon update for Windows 11 should've been super simple, proves to be anything but
Latest in Security
An FBI wanted poster for alleged hacker Zhou Shuai.
US Justice Dept announces $10 million bounty on at-large 'hacker-for-hire' cabal it says targeted China critics, religious missionaries, and the Treasury
Kinzie, in an FBI jacket, uses a computer with the logo of the Third Street Saints on it
Have I Been Pwned adds over 284 million compromised passwords from latest breach
A still from a YouTube video of Senator Mark Warner speaking
Telecoms hack on US government officials is 'worst in nations history' and 'the barn door is still wide open' says senator
HDMI cable
Hackers can wirelessly spy on your display by collecting HDMI signal leaks and churning them through an AI, but I wouldn't break out the tin foil just yet
Computer code and text displayed on computer screens. Photographer: Chris Ratcliffe/Bloomberg
Forcing users to periodically change their passwords should go the way of the dodo according to the US government
An original Apple Macintosh Model M0001, as they celebrate 40th anniversary, is on display in between 2024 Apple models at the independent Apple products store chain Amac, on January 24, 2024 in Utrecht, The Netherlands. Based on the Motorola 68000 microprocessor, the Macintosh was the first successful mouse-driven computer with a graphical user interface.
Major browser providers scramble to patch an 18-year-old vulnerability affecting MacOS and Linux systems but Windows remains gloriously immune
Latest in News
Nvidia RTX 5080 Founders Edition graphics card from different angles
Nvidia says it really has sorted RTX 50-series black screen issues this time around as yet another driver fix finds its way to release
A collection of upturned CDs, DVDs and Blu-Rays on a carpeted floor
Warner Bros says it will replace certain DVDs damaged by 'disc rot', but you might not get the same movie you sent in for replacement
Maximillian from Evil Genius 2
Rebellion CEO says Evil Genius 3 could happen but wonders 'what else could we do with it other than a base-building game?'
Skytech Shadow gaming PC on a blue background
Screw waiting for GPU restocks, with an AMD RX 9070 gaming PC going for as cheap as this I'd hop on the pre-built bandwagon
A screenshot from a YouTube video showing a sticker being pulled from the front of a fake 9800X3D CPU
This Amazon-bought fake AMD Ryzen 7 9800X3D is actually a 14-year-old Bulldozer chip with a cheap sticker on it
A player character with an ominous mask
The Forever Winter, my favourite extraction shooter, just overhauled its most contentious feature for the second time: 'It was a hell of a rollercoaster to make the adjustment'