I rarely go to a conference where I don\u2019t hear someone doling out \u201cgood\u201d password policy advice. You know, the password policy includes:Eight to 12 characters long as a minimum; extremely long passphrases are betterMust be complex and include at least three different character sets (e.g., uppercase characters, lowercase characters, numbers, or symbols)Change every 90 days or fewerEnable account lockouts for bad passwords, five bad attempts or fewerI hear world-renowned computer security experts, CEOs and security consultants giving this advice all the time. I heard it today. I\u2019ll hear it tomorrow.Except that it\u2019s wrong. It\u2019s old advice. It was never \u201cgood\u201d password policy. Looking at the data, people and companies that follow this advice are likely increasing their computer security risk, not lessening it. Unfortunately, the desire to stay in compliance with outdated regulatory requirements means that most companies and individuals will be compelled to follow this old, outdated and wrong advice for years to come. It\u2019s a sad state of affairs.What is today\u2019s good password policy advice?Starting a decade ago or so, a few computer security scientists decided to look at the data to see if the traditional password security advice that had been recommended for decades was actually effective. One of my favorite computer security scientists is Microsoft Principal Researcher Dr. Cormac Herley. He has probably written more about how bad the old password policy advice is than anyone. He\u2019s not a fan of much of today\u2019s long-held, but untested computer security advice. As he said in my 2017 book, Hacking the Hacker:You might have a model of how you think 2 billion users will behave, but 2 billion users will respond the way they are going to respond regardless of your model. You can hope that it happens the same way, but you have to measure what happens to see if there is any resemblance to what you said would happened in your model. And if your model is wrong, change it.Dr. Herley, looked at the data, and tested how well the traditional advice stacked up in today\u2019s hacker world. His conclusion, along with many others, was that the traditional advice was bad advice, and they used data and how today\u2019s hackers hack to come up with better password policy advice. The culmination of these password experts' work was updated password policy guidance from the National Institute of Standards and Technology (NIST). NIST sets the computer security standards for the U.S. government and military computers, and by doing so, set the standards for most of the world\u2019s computers.NIST issued its updated password policy advice in the form of \u201cDigital Identity Guidelines\u201d, the most important of which is NIST Special Publication 800-63-3, released in final form in June 2017. In the related guideline documents, NIST essentially says that you should be using multifactor authentication (MFA) instead of passwords, but if you\u2019re going to be using single-factor authentication passwords, here are the new, better recommendations:Enable two-factor authentication (2FA) where you can. Passwords are great, but 2FA is better.A password should be eight characters or longer, but it doesn\u2019t have to be super long.Character complexity is no longer a requirement, but does not hurt.Should not contain common or easy-to-guess passwords (like your name or password123).There is no need to change your password unless you think it\u2019s been compromised.Never re-use the same password on other sites.Developers, consider using dynamic authentication, where changes in user behavior, location, or devices initiates additional authentication checks.That\u2019s it. That\u2019s the new advice! It\u2019s revolutionary in most circles. Passwords don\u2019t have to be long or complex, and almost never to be changed. This goes against what we\u2019ve all been taught for a long time. Again, I still hear the old advice at computer security conferences. I hear it from people on panels sitting beside me. I want to correct everyone, publicly, but that's hard to do without insulting your friends, co-workers, and leaders. It\u2019s not their fault. They just don\u2019t know.Lately, I\u2019ve taken to speaking up about it. I try to do it as politely as I can, trying not to shame the other person for not knowing. Although you would be surprised by how many people actually know about newer password policy guidelines, but simply cannot believe them and keep repeating the older advice. Habits can be hard to break.Is compliance hurting us?Worse yet, even though the new password policy guidelines have been the \u201crule of the land\u201d for a year now, I don\u2019t know of a single legislatively required regulatory guideline (e.g., HIPAA, SOX, or PCI-DSS) that doesn\u2019t still require the old password policies. I don\u2019t know of a single auditing regime or program that doesn\u2019t require, often by law, the older, worse, password guidelines.Administrators and users are stuck in a hard place. Follow the old policies and your company is more at risk for successful malicious hacking. Follow the new advice and fail an audit, and have everyone in your company above you yell at you.I want to tell you to talk to your auditors and management and send them NIST\u2019s newer password guidelines, but the truth is that they aren\u2019t really going to care. All they are going to care about is whether you help get a \u201ccheck mark\u201d of success on a compliance audit. If you try to implement the new password policies, you are likely to be going it alone, against a hurricane of criticism and complaints. If you cause an audit exception or lack of compliance finding, you could be disciplined or fired. The best or the smartest among us basically have to accept that they will be knowing, but silent.When will regulations change?If you want to do something, write the bodies in charge of the legal regulations that control your industry. Educate them and ask them when they plan to update their required guidelines. Do the same to your internal and external auditing teams, and to IT management. Now is the time \u2014 it\u2019s been a year \u2014 to start asking for the outdated password policy guidelines to be updated.All auditing and regulatory bodies need to ask themselves if they are responsive enough to cybersecurity guidelines changes. Do they have policies and procedures, easy to find and follow, for members to initiate changes? Hackers and malware can change in seconds. How long do we have to wait until our controlling regulations and laws get updated after we find better advice?If we don\u2019t make our audit and regulatory bodies more responsive, aren\u2019t we always going to have compliance eroding our security in one way or another?This is a call to arms. Go fight the good fight!