Forcing people to change their passwords is officially a bad idea

Many organisations make staff regularly change their computer passwords for security reasons. Now the US government is saying those who make and run software and online tools should stop the practice. So, what should people really be doing?

The latest advice from the US National Institute of Standards and Technology (NIST) isn’t coming out of the blue. It is based on decades of research showing forcing website and software users to periodically change their passwords actually harms security.