NIST, the National Institute of Standards and Technology in the US, is releasing new password standards that make passwords so much easier…
Using plain letters is enough; numbers and symbols are optional.
Passwords need to be long, at least 8 characters. 16 or more is better.
You don’t have to reset passwords unless you suspect a data breach. Wow!
However, passwords cannot match a database of stolen or easy to guess passwords. And, your login mechanism has to have a way to verify that.
That’s the basic gist. You can read the details in the NIST Special Publication 800-63 at https://pages.nist dot gov/800-63-3/sp800-63-3.html It covers secret questions, two step login, etc.
Now, hopefully PCI and other standards will update their rules too.
Please forward this to anyone who is sick of complicated passwords and having to change them every 90 days.