Change your password often it is a widespread practice to improve online security, because it helps protect your accounts from attacks by cyber criminals and malicious people. However, recently more and more cybersecurity experts argue that this habit can be ineffective and sometimes even counterproductive. When you feel forced to regularly change your password, it is in fact common to adopt predictable patternswhich make it easier to remember the numerous security keys that you collect over time. This behavior, rather than increasing the security of one’s accounts, makes the work of cyber criminals, skilled in recognizing and exploiting these behavior patterns, much easier.
As can be seen by reading the new guidelines of NIST (National Institute of Standards and Technology) – a US government agency that defines computer security standards that are progressively adopted around the world – today is much better favor unique and complex passwords, without changing themunless strictly necessary, such as in the event of an account compromise or passwords appearing in known data leaks. In this context, password managers (also known as password managers) become precious allies, as they allow you to generate and store strong and diversified passwords, greatly simplifying the management of your accounts.
NIST’s new rules on password security
The strong passwordshowever annoying, continue to be (along with thetwo-factor authentication) one of the main barriers against unwanted access to your accounts. In the past, many platforms required you to change your password periodically – sometimes every 60 days – as a precaution against possible cyber attacks. However, the NCSC (National Cyber Security Center) of the United Kingdom began to question this practice as early as 2015. The NCSC warned that forcing password changes leads users to use variations of the previously set password, following predictable patterns (for example, changing “Password123” to “Password456”).
For a hacker (or rather, a cracker), identifying these patterns is not at all complex; once a password has been discovered, going back to subsequent versions becomes real child’s play. While it may seem counterintuitive as a concept, frequently changing passwords paradoxically increases the risk of a breach rather than reducing it, as it pushes the user to use a trivial, easy-to-remember password rather than a complex, secure security key. In other words, the obligation to frequently change all their passwords leads users to make deceptive and dangerous reasoning, such as “Never mind if the password isn’t the best in security… I’ll have to change it in a few months anyway”.
Also the NIST (National Institute of Standards and Technology) of the United States is of this same line of thought, and this is evident by analyzing his new guidelines that discourage regular and systematic changing of passwords.
Now, organizations and companies that operate computer systems where users authenticate with passwords are no longer encouraged to ask them to change their passwords periodically, unless there have been cases of account compromise. NIST also states that passwords should be at least 8 characters long, better if composed of 15 characters (and allow entry of up to 64 characters), including a full range of symbols, including special ones.
Restrictions on complex and schematic compositions, such as the mandatory use of lowercase and uppercase characters mixed with symbols and numbers, are now also considered harmful, as they often lead users to opt for simple and easily decipherable solutions. This is because the security systems could in these cases allow, paradoxically, the creation of insecure passwords (such as “P@ssWorD!”) but not the creation of security keys which should be considered more secure (for example “h3bJW1914Gdjnk5GY£IKND! ”).
Beyond that, NIST specifies that the use of uppercase, lowercase and symbols is not necessary to ensure the randomness of a password. In particular, a randomly generated password does not necessarily benefit significantly from the mandatory inclusion of these characters. Indeed, the very obligation of having to insert so many uppercase characters, so many symbols and so many numbers can constitute a clue that facilitates attacks by hackers.
Another new indication from NIST is that of do not provide password hints after several failed login attempts. Although these indications can be useful to the most forgetful users, who struggle to remember their passwords, they risk making the task easier for cyber criminals, offering clues that can limit the number of attempts needed to identify the correct password with which to “crack” a given account.
NIST also updated two other guidelines, taking note of technological evolution and changes in attack methods. The first concerns the security questionswidely used to verify identity. This method, based on entering answers to questions pre-selected by the user, is no longer secure since social networks can make it quite easy to find information that could represent the solution to some security questions, such as the name of the your pet or the name of the elementary school one of your parents attended.
Another notable update concerns the password verification process: NIST now states that to be valid, the entered password must be checked in its entirety, and not just the initial characters, as is the case with some older systems. These old methods, which truncate passwords beyond a certain length, expose the system to significant vulnerabilities: if an intruder guesses only the first few characters, he would still be able to gain access to his victim’s account.

Password managers are powerful allies for cybersecurity
In light of the new guidelines published by NIST, it is therefore clear that i Password managers are powerful allies for your own IT “safety”. Since it is no longer necessary to frequently change the security keys of your accounts, in fact, you can focus on creating highly secure passwordsperhaps using the same generators that are included in many of these password managers. Using these tools, available both as desktop programs and as apps for Android and iPhone, makes it easier to both create and maintain passwords.
Even if the future is oriented towards a world without passwords, thanks to the ever-increasing adoption of passkey (an authentication method that allows you to access your accounts using the biometric unlocking methods of your smartphones), for now that passwords remain a pillar of IT security and it is therefore essential to pay attention to the most recent indications given by security experts cybersecurity.