Skip to content

NIST password guidance finally matches reality

No more forced monthly resets. No security questions. Longer passwords, change on compromise. NIST caught up with how people actually behave.

Some great updates from NIST SP 800-63B on password requirements - better aligned with today's reality (MFA, passkeys) and users' behaviour (Password1!Nov, Password1!Dec...).

The useful bits, in plain language:

  • Do not require users to change passwords periodically
  • Stop using knowledge-based authentication / security questions (birthday, mum's maiden name)
  • Allow ASCII and Unicode characters in passwords
  • Allow passwords of a maximum of at least 64 characters
  • Require a minimum of eight characters, preferably at least 15
  • Force a change if there is evidence of compromise of the authenticator
  • Do not impose other composition rules (mixtures of character types) for passwords

That last one still surprises people. Complexity rules trained a generation to rotate Summer2024! into Autumn2024!. NIST has been saying for years that length and breach checking beat theatre. Rev. 4 makes it harder to pretend otherwise.

What to do in your org

If your policy still mandates 90-day rotation and three character classes, you are fighting NIST and your users. Prefer:

  1. Long passwords or passphrases (or better: passkeys)
  2. Check against known-breached passwords
  3. MFA everywhere that matters
  4. Rotate only on suspicion of compromise

I wrote why password complexity is the wrong fight and why I don't care that you have a strong password if MFA and unique credentials are missing.

Find this on LinkedIn and give it a thumbs up: NIST password guidance finally matches reality

Olivier Reuland