For decades, password policies followed a familiar pattern: require uppercase, lowercase, numbers, and special characters. Force users to change passwords every 60 or 90 days. The logic seemed sound—more complexity means more security.

Except it doesn't. And the organization that literally wrote the rules has now formally said so.

In August 2024, the National Institute of Standards and Technology (NIST) released Special Publication 800-63B Revision 4, updating their digital identity guidelines with significant changes to password requirements. The previous version was officially withdrawn in August 2025, meaning these aren't just suggestions—they represent current federal standards.

Many organizations still haven't implemented these changes. Here's what shifted and why it matters.

What Changed

No More Forced Password Expiration

The new NIST guidance is clear: organizations should stop enforcing mandatory periodic password changes. Passwords should only be updated when there's evidence of compromise.

This reverses decades of conventional wisdom. The reasoning is straightforward: frequent password resets often lead to weaker passwords. When forced to change passwords regularly, users tend to make minimal, predictable modifications—"Password1" becomes "Password2" becomes "Password3." Attackers know this and account for it.

We touched on this dynamic in our earlier piece asking whether you still need to change your passwords. NIST has now provided a definitive answer.

No More Complexity Requirements

The language in Revision 4 has been strengthened significantly. Previous NIST guidance recommended against enforcing composition complexity, stating that organizations "should not" impose such rules. The new revision states that organizations "shall not" impose arbitrary composition requirements beyond basic length and blocklist checks.

This means password policies should not mandate:

  • At least one uppercase letter
  • At least one number
  • At least one special character
  • Restrictions on consecutive or repeating characters

The rationale is backed by research. Forcing complex composition rules often produces worse security outcomes: users create predictable patterns to satisfy requirements (substituting "@" for "a" or adding "123!" at the end) or write passwords down because they can't remember them.

Bill Burr, the original author of many traditional password complexity rules, has publicly apologized and acknowledged that the guidance he created actually decreased security.

Minimum 15 Characters

While dropping complexity requirements, NIST has raised length requirements. When a password is the sole authenticator, systems must now enforce a minimum length of 15 characters.

The math supports this. According to security research, an 8-character password can be cracked in approximately eight hours regardless of character diversity. A 12-character password, even without special characters, can take thousands of years to crack with current technology.

Length beats complexity because each additional character exponentially increases the number of possible combinations an attacker must try. A 16-character password using only lowercase letters provides more protection than an 8-character password using the full ASCII character set.

Check Against Breach Databases

NIST now effectively mandates checking passwords against known breach databases. If a user selects a password that appears on a blocklist of commonly used, expected, or compromised values, they must choose a different one.

This is one of the most effective defenses against credential attacks. Many breaches succeed by using lists of common passwords or previously leaked credentials. By disallowing those upfront, organizations dramatically improve security without burdening users with complexity rules.

Why Length Wins

The shift toward length over complexity reflects how password cracking actually works.

Password entropy—the mathematical measure of how hard a password is to guess—increases with both length and character diversity. But length has a more dramatic effect. Doubling the length of a password composed only of numbers provides roughly the same protection as switching from numbers-only to the full 94-character ASCII set at half the length.

More importantly, human-generated "complex" passwords have far less entropy than their theoretical maximum. A password like "1GoodPassword!" might look strong, but because it uses common English words and a predictable number-symbol pattern at the end, its actual entropy is a fraction of what the character count would suggest.

A simple passphrase like "correcthorsebatterystaple" (to borrow a famous example) is both easier to remember and harder to crack than "Tr0ub4dor&3"—despite the latter appearing more "complex."

We explored related concepts in our guide on how to create a strong password.

What Hasn't Changed

Some fundamentals remain important:

Password managers are still essential: The best password is one you don't have to remember. Password managers generate and store unique, random passwords for every account. The NIST guidance around length and uniqueness reinforces why these tools matter. We discussed this in our article on what businesses still get wrong about password security.

Multi-factor authentication remains critical: NIST's password guidance exists within a broader framework that strongly encourages MFA. Even the best password can be phished or stolen through other means. MFA provides protection when passwords fail. We covered implementation considerations in our piece on common MFA mistakes.

Breach monitoring matters more than ever: With passwords no longer expiring on a schedule, detecting when credentials have been compromised becomes more important. Organizations should actively monitor for credential exposure and require changes when breaches are detected.

The Implementation Gap

Despite these guidelines being official for over a year, many organizations haven't updated their policies. Systems still enforce 90-day password rotations. Applications still reject passwords without special characters. Users still create "P@ssw0rd123!" because the system requires it.

Several factors contribute to this gap:

Legacy systems: Older applications may have password requirements hardcoded in ways that are difficult to change.

Compliance confusion: Some industry-specific regulations reference older password standards. Organizations may be uncertain whether NIST's updated guidance supersedes other requirements.

Institutional inertia: "We've always done it this way" is a powerful force. Changing password policies requires updating documentation, retraining users, and potentially modifying multiple systems.

Misperception of risk: Some security teams worry that removing complexity requirements or expiration periods will be seen as weakening security, even though the evidence suggests the opposite.

Questions for Your Organization

If you're evaluating your password policies against current standards, consider:

  • Are you still forcing password changes on a fixed schedule? If so, what's the rationale?
  • Do your systems allow passwords of 15 characters or longer? Do they allow up to 64 characters as NIST recommends?
  • Are you checking new passwords against breach databases and common password lists?
  • Are complexity requirements creating predictable patterns rather than genuine security?
  • Do users have access to approved password managers to help them maintain unique credentials?
  • Is MFA enabled for all systems where it's available?

The answers may reveal a gap between your policies and current best practices—a gap that represents both security risk and unnecessary user friction.

The Broader Point

Password security advice has evolved because attackers have evolved. The patterns that complexity rules create are well understood by threat actors. The passwords users generate under 90-day rotation requirements are predictable.

NIST's updated guidance reflects this reality. Longer passwords, checked against breach databases, changed only when compromised, and supplemented by multi-factor authentication—this combination provides better actual security than the traditional approach ever did.

The question isn't whether your organization should update its password policies. It's whether you can afford to keep following guidance that the people who wrote it have explicitly disavowed.

This article is intended for informational purposes only and does not constitute professional security, legal, or compliance advice. Organizations should consult with qualified professionals to assess their specific situation and develop appropriate policies.