Password security is changing — and updated guidelines from the National Institute of Standards and Technology (NIST) reject outdated practices in favor of more effective protections.
Don’t have time to read the 35,000-word guidelines? No problem. Here are the six takeaways from NIST’s new guidance that your organization needs to know to create password policies that work.
1. Password length > password complexity
For years, organizations have created password policies that follow a rigid formula — requiring users to include upper and lowercase letters, numbers, and symbols — to create passwords that are difficult to crack.
But NIST’s research highlights a flaw in this approach: humans are predictable and often follow predictable (and easy to guess) patterns when developing “complex” passwords.
For example, users often:
- Start their passwords with a capital letter (e.g., welcome456 becomes Welcome456)
- End their passwords with a number or symbol (e.g., Welcome456, Welcome2024!!)
- Swap common characters (e.g., WelcomeToXYZCorp becomes W3lcomeToXYZCorp)
What does this mean? Passwords that may look complex (and adhere to password policy requirements) are relatively easy for hackers to crack because they follow a predictable pattern.
To help users create stronger passwords, NIST recommends enforcing password length instead of password complexity. Instead of asking users to come up with a random, difficult-to-remember combination of letters, numbers, and symbols, urge them to create longer passwords or passphrases that will be easy to recall but harder for hackers to guess.
The best passphrases combine unrelated words into a single, longer passphrase. For example, a passphrase like “llama-shoehorn-trumpet7” will be much easier for a user to remember than a random password like “HPn&897*k” — and it will be harder to hack than passwords that follow predictable patterns.
2. Facilitate longer passwords
Building on the guidance above, NIST’s latest revision confirms what security researchers have long suspected: password length is the most important password security measure. Specops’ findings reinforce this conclusion, but many companies undermine their security by imposing password character limits.
To maximize the security protection passwords provide, your password policies must be able to accommodate long passphrases.
NIST recommends supporting up to 64 characters — far beyond what most users will need but highly important for those prioritizing maximum security.
While longer passwords increase cracking difficulty, they aren’t invincible — even a 64-character passphrase can become compromised through password reuse or being stolen by malware.
That said, long passwords do offer more protection than their shorter counterparts. Give your users the flexibility to use a passphrase that meets their security needs, regardless of if that’s 15 or 50 characters.
3. Implement MFA
Microsoft research shows that 99% of breached accounts lacked MFA. But many organizations still treat MFA as a luxury rather than a necessity.
NIST doesn’t mince words with its guidance on this topic: MFA is no longer optional, it’s a must-have line of defense for when passwords inevitably fail.
To align with NIST guidelines, don’t cling to single-factor authentication. By implementing MFA, you’ll close a regularly exploited security gap.
4. Avoid frequent password changes
End users don’t enjoy being forced to change their passwords, so they’ll be pleased to hear that NIST is urging organizations to forgo mandatory password expiration unless there’s evidence of compromise.
NIST asserts that frequent password changes often lead to weaker, not stronger security as users resort to minimal password tweaks to satisfy the “new” password requirement.
But completely forsaking password expiration policies may swing too far in the opposite direction.
At Specops, we recommend a nuanced approach: extending the time between required changes while maintaining essential safeguards. When users create robust passwords and organizations deploy compromise detection tools, longer expiration windows become not just acceptable, but preferable.
5. Prevent the use of already-breached passwords
NIST’s latest guidance is straightforward — organizations should screen new passwords against databases of known compromised credentials.
Why? Because these exposed passwords become skeleton keys for attackers, who leverage massive lists of breached credentials to accelerate their attacks.
Users rarely know when their preferred passwords have been exposed in previous breaches. They may trustingly reuse what seems like a strong password, unaware it’s already circulating in criminal databases.
By proactively blocking these compromised passwords, your organization can shut down a favorite attack vector before hackers can exploit it.
Want to assess your organization’s exposure? Our free Specops Password Auditor provides instant visibility into your Active Directory password vulnerabilities.
6. Discontinue password hints and other knowledge-based recovery
What’s the name of your first pet? What was your high school mascot? What’s your mother’s maiden name?
Password hints and security questions like these show their age. And NIST’s latest guidance urges organizations to forego these traditional recovery methods because our online lives have made them obsolete.
Consider how much of your personal information flows freely on social media. What once seemed like private knowledge now sits in plain view, waiting to be collected and exploited.
In lieu of hints, NIST suggests alternatives like including secure email recovery links and MFA verification during password resets.
These approaches allow users to validate their identity through physical access to devices or accounts rather than easily discovered personal trivia.
Aiming to align your organization with NIST guidelines?
Try Specops Password Policy for free and make compliance with all six of these simple steps for your IT team.
Sponsored and written by Specops Software.