NIST’s new password rules – what you need to know – Naked Security
Better yet, NIST says you should allow a maximum length of at least 64, so no more “Sorry, your password can’t be longer than 16 characters.”
Wed Nov 23 07:45:21 2016 - permalink -
Applications must allow all printable ASCII characters, including spaces, and should accept all UNICODE characters, too, including emoji!
Let people choose freely, and encourage longer phrases instead of hard-to-remember passwords or illusory complexity such as pA55w+rd.
The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack.
Additionally, and this is a big change: SMS should no longer be used in two-factor authentication (2FA).
==> NIST’s goal is to get us to protect ourselves reliably without unneeded complexity, because complexity works against security.