Forcing people to change their passwords is officially a bad idea

A US standards agency has issued new guidance saying organisations shouldn’t require users to change their passwords periodically – advice that is backed up by decades of research