When it comes to passwords, most of us are groping around in the dark looking for clues on how to get safe. Even big banks get it wrong. But a draft from the National Institute of Standard and Technology (NIST) teaches us all how to be more secure.

The new draft standard, Special Publication 800-63-3, documents new Digital Identity Guidelines. This includes rules on how to keep passwords secure.

NIST’s rules contradict many security theater policies implemented by big banks and other corporations. NIST says don’t require password changes if the server hasn’t been broken into. Don’t require capital letters, digits, special characters, or impose other “composition” requirements. But do allow the use of those characters, including spaces.

The key to security, NIST says, is that users should be making very long passwords. If your password were an entire sentence, with spaces and punctuation, then the password would be very easy for you to remember, but very hard for computers to break into.

Frequent changes and special characters are security theater. Don’t forget that, and shame the companies that use them.