Skip to navigationSkip to content

The US government says you shouldn’t be forced to use special characters in your passwords

Customers use computers at an internet cafe in Taiyuan, Shanxi province March 10, 2010.
A new standard.
  • David Yanofsky
By David Yanofsky

Editor of code, visuals, and data

Published This article is more than 2 years old.

It might be getting easier to remember all of your passwords. The standards organization of the United States, NIST, has concluded that many common requirements for passwords, like forcing you to use special characters, are misguided.

Instead, NIST recommends the use of lengthy passwords, and instructs administrators to allow passwords to run at least 64 characters long. It also says people should only be forced to change their passwords if there is evidence of tampering, rather than at an arbitrary interval.

The newly finalized guidelines attempt to balance the limits of human memory with proper digital security. A password with special characters may be hard to remember but easy for a computer to guess. On the other hand, a long and simple password is easy for a human to remember and actually very difficult for a computer to guess.

The manual also cites human behavior as undercutting the efficacy of complexity rules:

For example, a user that might have chosen “password” as their password would be relatively likely to choose “Password1” if required to include an uppercase letter and a number, or “Password1!” if a symbol is also required.

It points out that as password complexity rules are added, it’s more likely that people will start writing down their passwords, increasing the chance of being stolen.

Rather than having a complex password be the linchpin of an account’s security, the guidelines say that administrators should take actions that make accounts more secure than special characters ever could—for instance, preventing the use of common passwords and those that have been previously exposed in breaches, and creating a waiting period between incorrect login attempts.

📬 Kick off each morning with coffee and the Daily Brief (BYO coffee).

By providing your email, you agree to the Quartz Privacy Policy.