Great article in the Wall Street Journal this week (paywall), on the history of passwords and password management. I did not know that the seeming obsession with passwords featuring a strange mixing of capital letters, numbers and !@#$%^&*()+ derives from a 2003 National Institute of Standards and Technology report, “NIST Special Publication 800-63. Appendix A.” This report advised computer users to protect their accounts by using the now familiar mélange of characters, capital letters and numbers—and to change those passwords regularly.  Of course, that resulted in people using just a few passwords and writing them down because they were difficult to remember.  In the end, the guidance made systems less safe.

The 2003 NIST guidance has now been replaced by a new version of NIST Special Publication 800-63A, “Digital Identity Guidelines:  Enrollment and Identity Proofing Requirements.”

The current guidance from NIST is a nearly 180 turn from the original — no longer are regular password changes called for, and gone is the recommendation to use those special characters.  The new report isn’t all that fun to read (save it for a rainy day).  But the report suggests moving from passwords to passphrases, and use of dual factor authentication.  So rip up that Post-It notes with your passwords and start fresh!