I recently discussed why going passwordless is the future of security, yet many organisations and technologies still need time to adjust. Passwords remain popular today and may remain used for some time to come; NIST guidelines in Special Publication 800-63B aim to balance security with usability and practical implementation.
Many organisations don't know what their current guidelines are, requiring users to change passwords every 90 days while demanding uppercase, lowercase, numbers and special characters - it might be time for an update!
A new philosophy on passwords
With the publication of NIST Special Publication 800-63B, the agency made an avowed shift: abandon punitive rules in favor of practical strategies grounded in evidence to strengthen security and enhance user experience. Specifically, under this new guidance:
Complexity requirements have been relaxed
Frequent password changes are no longer recommended
Length takes precedence over complexity
Screening against previously compromised passwords is strongly encouraged
In short, longer, memorable passphrases are in.
Complicated, hard-to-remember strings like “dU23*&$nmH2*” are out.
Why passphrases are more secure
NIST recommends encouraging users to create memorable passwords instead of forcing them into creating untraceable, obscure combinations. They encourage longer passwords using simple language, a passphrase like:
purple-grass-dances-wildly
...is easy to remember and difficult for others to guess; making it highly secure compared to short, complex passwords.
Why does this work?
Password security relies on entropy - or the total number of combinations possible - with longer passwords with simpler components offering much higher entropy than shorter, complex ones.
Stop changing passwords (unless you have to)
NIST has made one surprising change to its recommendations; no longer require regular password changes.
Frequent password resets often result in predictable patterns. Users increment numbers or switch letters as part of unsafe reuse habits. Instead, it would be wise to leave passwords alone until there's reason to believe they have been compromised. Long, strong passphrases combined with modern tools like monitoring and MFA can increase security levels significantly.
Block the worst passwords automatically
Another major change to NIST guidance is their new emphasis on screening passwords against known breach data and patterns, including rejecting:
Contextually relevant passwords (e.g. your company name)
Many enterprise tools - and free services like HaveIBeenPwned - provide automated password filtering capabilities to automate this process.
Self-service password resets are a must-have
NIST highlights the significance of modern self-service password reset (SSPR) workflows. Rather than forcing users to contact helpdesk or answer outdated "What is your mother's maiden name?" questions. For effective implementation, organisations should:
Secure reset mechanisms (e.g., email, authenticator app and mobile number)
Multi-factor authentication (MFA)to confirm user identity
Auditing and logging of all password reset activity
These all should be employed accordingly to reduce support costs, empower users and align with Zero Trust principles.
NIST encourages the use of MFA tools that can withstand phishing attacks - like hardware tokens, authenticator apps or biometric tools. While SMS-based MFA is still better than nothing, its less-than-optimal performance leaves itself vulnerable to interception and spoofing; when possible opt for stronger second factors.
Final thoughts
It's time to rethink password security! The NIST guidelines offer a practical, modern framework that better represents how people actually use technology today. By emphasising longer passphrases, enabling self-service tools, eliminating forced resets and layering MFA, organisations can secure themselves without burdening users with obsolete complexity.
If your password policy hasn't changed in five years, now is the time to do so. Security shouldn't just mean ticking boxes; rather, it should involve taking thoughtful approaches that address real threats while remaining user-centric. CNS can assist your organisation with creating and implementing password security guidelines, and more.
Further reading
Here's a summary of the key password related recommendations from NIST SP 800-63B:
Minimum Length
Minimum of 8 characters for user-generated passwords.
No maximum length less than 64 characters.
Allow the use of all printable ASCII and Unicode characters (spaces, emojis, etc.).
No Complexity Requirements
Do not require users to include special characters, numbers, or mixed case.
Allow users to create easy-to-remember passphrases instead of forcing hard-to-type combinations.
No Periodic Expiration
Do not require passwords to expire at regular intervals (e.g., every 90 days).
Passwords should only be changed if there is evidence of compromise.
Password Screening
Validate new passwords against a list of: a. Known breached passwords b. Commonly used passwords c. Passwords with repetitive or sequential characters d. Context-specific passwords (e.g., your org’s name or username)
Reject any passwords found on those lists.
Password Entry Requirements
Limit failed attempts to prevent brute-force attacks (rate limiting, lockouts).
Do not use knowledge-based questions (e.g., “What is your pet’s name?”) To many people share that information on Social Media.
Support for Copy & Paste
Do not block password managers from pasting passwords.
This improves both usability and security by encouraging stronger, unique passwords.
Self-Service Password Reset (SSPR)
Implement secure SSPR options that include multi-step verification.
Use secure channels (email, authenticator app, SMS — with caution).
As certified IT security experts, we can help you fortify your defences, uphold regulatory compliance, improve your company's security posture and proactively maintain your servers and networks to protect you from evolving cyber risks.
Alex Weeks
