This article appears mistaken about which parts of the guidelines are new.<p>The recommendation against periodic password change requirements, for example, has been part of NIST guidelines for years, in previous versions of this document. This has not kept a large number of US federal and state government agencies from requiring periodic password changes, sometimes even stating that it is a regulatory requirement. It's not clear that the NIST guidelines have any effect whatsoever on the very government NIST is part of.