The National Institute of Standards and Technology (NIST) sets the password policies that US federal agencies must follow. Their guidelines (SP 800-63B) have rippled out to influence corporate policies worldwide.

The most recent revision threw out decades of conventional wisdom.

What NIST dropped

Mandatory complexity rules. The old requirement to mix uppercase, lowercase, numbers, and special characters is gone. NIST found that these rules lead to predictable patterns (Password1!, Summer2026$) that are easy to guess.