Bill Burr, a manager at the National Institute of Standards and Technology (NIST), wrote a password primer in 2003 that recommended many of the rules we have now: special characters, capitals and numbers. He also added a recommendation that they be updated regularly (THANKS, BILL). It's this document that has been the basis for the password policy that's become prevalent among the government, businesses and other institutions. But now, the 72-year-old password guru tells The Wall Street Journal that, "Much of what I did I now regret." So do we, Bill. So do we.
But there's some good news: The NIST is currently overhauling these guidelines and they've just been finalized. One revised recommendation is that IT departments should only force a password change when there's been some kind of security breach. Otherwise the changes we make are often incremental; when forced to switch out our passwords every 90 days, people tend to just swap out one character. That makes the bulk of passwords incredibly ineffective; this practice actually harms security rather than helping it.
Another recommendation is to favor long phrases, rather than short passwords with special characters. There should no longer be a requirement to have a certain mix of special characters, upper case letters and numbers for a password. It turns out that adding in these artificial password restrictions actually produced less secure passwords. Additionally (and unsurprisingly), the guidelines recommend screening passwords against commonly used passwords or ones that have been compromised.
You can read the full set of draft guidelines at NIST's website, but this news should be music to the ears of anyone who's struggled with passwords. While no organization is required to adopt these new measures, these types of recommendations are usually implemented as best practices for security.