Last year, I wrote about a security myth that frequently changing passwords is good for security (see blog post).
The Trusted Identity Group at the National Institute of Standards and Technology released on March 31, 2017 a revised version of its Special Publication 800-63B, Authentication & Lifecycle Management. Although the NIST Guidance is only intended for Federal agencies, its influence is felt throughout the IT sector. Among its recommendations, this document addresses two security myths concerning passwords and updates current best practices.
First, the Publication states that passwords "SHOULD NOT ... be changed arbitrarily (e.g., periodically) and SHOULD only require a change if the subscriber requests a change or there is evidence of compromise of the authenticator" (section 184.108.40.206).
Second, the Publication states that other a minimum length requirement "no other complexity requirements for memorized secrets SHOULD be imposed" (section 220.127.116.11) and "composition rules (e.g., mixtures of different character types)" SHOULD NOT be imposed on passwords (section 18.104.22.168).
The Publication defines:
The terms “SHOULD” and “SHOULD NOT” indicate that among several possibilities one is recommended as particularly suitable, without mentioning or excluding others, or that a certain course of action is preferred but not necessarily required, or that (in the negative form) a certain possibility or course of action is discouraged but not prohibited.