Source: Vitalii Vodolazskyi via Shutterstock

The National Institute of Standards and Technology (NIST) is no longer recommending using a mixture of character types in passwords or regularly changing passwords.

NIST's second public draft version of its password guidelines (SP 800-63-4) outlines technical requirements as well as recommended best practices for password management and authentication. The latest guidelines suggest that credential service providers (CSP) stop requiring users to set passwords that use specific types or characters and mandating periodic password changes (commonly every 60 or 90 days). Also, CSPs should stop using knowledge-based authentication or security questions when selecting passwords.

Other recommendations include:

When NIST first introduced its password recommendations (NIST 800-63B) in 2017, it recommended complexity: passwords comprising a mix of uppercase and lowercase letters, numbers, and special characters. However, complex passwords are not always strong (i.e., "Password123!" or "q1@We3$Rt5"). And complexity meant users were making their passwords predictable and easy to guess, writing them down in easy-to-find places, or reusing them across accounts. In recent years, NIST has shifted its focus to password length, since longer passwords are harder to crack with brute-force attacks and can be easier for users to remember without being predictable.

NIST also is now recommending password resets in the case of a credential breach only. Making people change passwords frequently has resulted in people choosing weaker passwords.