Question: Our IT consultant suggests that we update passwords every 30 days, but this is met with great staff resistance, and may actually adversely impact productivity. Is this necessary? Codify Subscriber Answer: While frequent password changes have been the norm for years, the National Institute of Standards and Technology (NIST) updated their guidelines and recommendations concerning identity security. “Verifiers SHOULD NOT impose other composition rules (eg, requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (eg, periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator,” NIST says (emphasis original). With this advice, encourage your IT manager and all your staff who use computers to choose a strong password (or “secret,” in NIST parlance) for each function requiring a password, and don’t require any changes unless you must. Additionally, NIST does not recommend requiring that passwords have multiple composition rules, like mixed-case letters, numerals, or special characters. “These rules provide less benefit than might be expected because users tend to use predictable methods for satisfying these requirements when imposed (eg, appending a ! to a memorized secret when required to use a special character). The frustration they often face may also cause them to focus on minimally satisfying the requirements rather than devising a memorable but complex secret,” NIST says. When updating your password rules and regulations, NIST recommends creating a “blacklist” of passwords that are common enough to be vulnerable to attack. To read the rest of the NIST updates, go here: https://pages.nist.gov/800-63-3/.