NIST Password Guidelines: What Changed and Why It Matters

- 2 minutes read - 343 words

The National Institute of Standards and Technology (NIST) sets the password policies that US federal agencies must follow. Their guidelines (SP 800-63B) have rippled out to influence corporate policies worldwide.

The most recent revision threw out decades of conventional wisdom.

What NIST dropped

Mandatory complexity rules. The old requirement to mix uppercase, lowercase, numbers, and special characters is gone. NIST found that these rules lead to predictable patterns (Password1!, Summer2026$) that are easy to guess.

Forced periodic rotation. Requiring password changes every 30, 60, or 90 days is no longer recommended. Studies showed that forced rotation leads to weaker passwords, because people make minimal, predictable changes (Spring2025 becomes Summer2025).

Knowledge-based authentication. Security questions like “What is your mother’s maiden name?” are out. The answers are often publicly available or easily guessed.

What NIST recommends now

Length over complexity. Passwords should be a minimum of 8 characters, with a recommended minimum of 15. Systems should support passwords up to at least 64 characters. Passphrases are explicitly encouraged.

Screen against known-bad passwords. Systems should check new passwords against lists of commonly used passwords, dictionary words used as passwords, and credentials from known data breaches. If a password appears on these lists, reject it.

Allow all printable characters. Systems should accept any printable ASCII or Unicode character, including spaces. Do not restrict which special characters are allowed.

No password hints. Hints stored in the clear are a security risk.

Support paste. Users should be allowed to paste passwords from a password manager. Disabling paste forces users to type passwords manually, which discourages the use of long, strong passwords.

Why this matters

If your organization still enforces 90-day password rotation with complexity rules, you are following outdated guidance that actively makes security worse. Updating your policy to align with NIST is both more secure and less annoying for users.

Key takeaways

  • Let users choose long passphrases
  • Stop forcing password changes on a schedule
  • Block known-compromised passwords instead
  • Let people paste from password managers
  • Drop the security questions

The full NIST SP 800-63B document is available at pages.nist.gov.