Subscribe now

Technology

Forcing people to change their passwords is officially a bad idea

A US standards agency has issued new guidance saying organisations shouldn’t require users to change their passwords periodically – advice that is backed up by decades of research

By Matthew Sparkes

27 September 2024

Many people struggle to think of new passwords and remember them

rawf8/Shutterstock

Many organisations make staff regularly change their computer passwords for security reasons. Now the US government is saying those who make and run software and online tools should stop the practice. So, what should people really be doing?

The latest advice from the US National Institute of Standards and Technology (NIST) isn’t coming out of the blue. It is based on decades of research showing forcing website and software users to periodically change their passwords actually harms security.

Sign up to our weekly newsletter

Receive a weekly dose of discovery in your inbox! We'll also keep you up to date with New Scientist events and special offers.

Sign up

To continue reading, subscribe today with our introductory offers

Unlock this article

No commitment, cancel anytime*

Offer ends 15 January 2025.

*Cancel anytime within 14 days of payment to receive a refund on unserved issues.

Inclusive of applicable taxes (VAT)

or

Existing subscribers

Sign in to your account