The NIST* has modernized the password rules for US Government Department, specifically the “minimum requirements for federal information systems”. This is supposedly where every IT department gets their rules from, so maybe these better rules will be used, “soonish”, in bank machines and corporate workplaces.
– (Yeah, I said “soonish”. In this case, “soonish=”probably years from now”.)
What the NIST said:
I will summarize and link to the parts of the draft Guidelines that make passwords easier.
“Draft NIST Special Publication, 800-63B – Digital Identity Guidelines”:
- Section 5, Authenticator and Verifier Requirements
- Section 18.104.22.168 – Don’t make the password artificially hard to remember by requiring “complexity rules”: UPPER, lower, numeric, special characters. (Rationale in Appendix A)
- Appendix A, Strength of Memorized Secrets
- Why complex passwords are bad: “analyses of breached password databases reveals that the benefit of such [complexity] rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe.”
- Services should disallow passwords found in a list of commonly used passwords, such as “Password1!”, and “123456”.
For a longer explanation, see Slava Gomzin’s article on Venture Beat.
* NIST = National Institute of Standards and Technology – part of the U. S. Dept. of Commerce)