Passwords. Love them or hate them (and let’s be honest, most of us fall into the latter category), they are the gatekeepers of our digital lives. Whether it’s for accessing your bank account, logging into your work email, or safeguarding sensitive company data, passwords are everywhere. Yet, despite their ubiquity, they are also one of the most criticized and inconvenient elements of modern security. Users forget them, reuse them, or—my personal favorite—write them on sticky notes attached to their monitors. Clearly, there’s room for improvement.
Enter the National Institute of Standards and Technology (NIST). NIST is a U.S. federal agency that develops and promotes standards, including those for cybersecurity. Think of them as the rulebook writers of the digital world, ensuring that organizations have a baseline to follow. Their guidelines influence how we manage and secure digital identities. Now, they have revised their stance on passwords.
Revisiting NIST’s Old, Tiresome Password Rules
Traditionally, NIST’s guidance on passwords felt like it was inspired by a “harder is better” philosophy. Their old rules, once considered the gold standard, pushed for complex combinations—uppercase, lowercase, numbers, special characters, and a minimum length of eight characters. Additionally, they recommended frequent password changes, every 60 to 90 days, whether you liked it or not. These rules aimed to make passwords hard for attackers to guess but, unfortunately, they also made it nearly impossible for users to remember.
To make matters worse, users often created predictable variations like “Password1!” or “Summer2024!”, which met NIST’s complexity requirements but were anything but secure. The result was a lot of frustration, password fatigue, and ultimately, a password ecosystem that wasn’t as secure as it seemed. NIST’s old rules, despite good intentions, were becoming outdated in an evolving digital landscape.
New Password Rules Move Away from “Complexity at all costs”
NIST’s new publication, SP 800-63B, signals a shift away from this “complexity at all costs” mentality. The new approach is more about practicality and user behavior. Here’s the crux of what’s changed:
- Elimination of Mandatory Password Changes: NIST now advises against forcing routine password changes unless there’s evidence of compromise. This is a significant departure from the old 60-to-90-day rotation rule.
- Focus on Longer Passwords: Instead of complex eight-character passwords, NIST encourages longer passwords or passphrases, ideally 15-64 characters long. Length is the new complexity.
- Screening Against Common Passwords: The new rules suggest screening passwords against a blacklist of common passwords (e.g., “123456” or “password”), as well as those compromised in data breaches.
- Simplification of Complexity Requirements: No more forcing special characters, uppercase letters, or numbers. The focus is on letting users create memorable, longer passphrases.
The Benefits and Reasoning Behind the New NIST Password Rules
So, why the shift? NIST’s new approach focuses on making passwords both secure and user-friendly. The reasoning is simple: people are more likely to choose secure passwords if they don’t feel overly burdened. Longer passphrases, like “iloverunningintherain,” are easier to remember and far harder to crack than “Pa$$w0rd!” despite their simplicity.
By eliminating forced password changes, NIST acknowledges that users tend to create weaker passwords when pressured to change them frequently. Instead of randomizing complex characters, they might just increment a number or append “!” to a previous password—hardly a security improvement.
Additionally, the emphasis on screening passwords against known compromised lists addresses the reality that attackers often leverage databases of leaked credentials. This way, even if users choose a seemingly simple password, it won’t be allowed if it’s too common or previously exposed.
Pros and Cons of the New Rules
Pros:
- User-Friendly: The shift to longer passphrases over complex short passwords and fewer forced changes reduces user frustration and the likelihood of poor password practices (like writing them down or reusing them).
- Better Security: Screening against known compromised passwords increases the effectiveness of password policies, ensuring even simple but memorable passphrases offer more security.
- Adaptability: The new rules acknowledge that different contexts and environments may require different approaches, allowing flexibility for organizations to implement contextually appropriate policies.
Cons:
- Overreliance on Length: While longer passwords are generally more secure, they may still be vulnerable if users create predictable phrases. According to HIVE Security’s research, length alone does not provide sufficient protection—passwords must also be random and complex to be truly effective. Even long phrases like “thisismypassword2024” could be compromised quickly if attackers identify predictable patterns.
- Reduced Complexity Requirements: Dropping character-type requirements might lead to simpler passwords that, while longer, could still be easy to guess for sophisticated attackers. HIVE’s findings underscore that attackers can use advanced algorithms and brute force tools that efficiently crack predictable long passwords if they lack adequate complexity.
- Potential for Complacency: By removing mandatory password changes, there’s a risk of users becoming complacent and not updating their passwords even when necessary. HIVE’s research supports the notion that a combination of length, complexity, and frequent updates is crucial, especially for critical accounts and sensitive systems.
These findings highlight that while NIST’s guidelines aim for a balanced approach, relying solely on passphrase length without incorporating complexity can leave systems vulnerable.
Challenging the New Rules: A Balanced Perspective
While NIST’s new guidelines are a step in the right direction, they don’t eliminate the need for a nuanced approach. It’s tempting to take these guidelines as gospel and think you’re covered, but security is about context and risk management. For example, while mandatory password changes might be less necessary for most users, critical accounts like admin credentials and access to sensitive systems may still benefit from periodic updates, especially when monitoring and detection capabilities are limited.
Even when using multi-factor authentication (MFA) and other layers of authentication protection, it’s important to recognize that these measures are not bulletproof. Each layer has its own vulnerabilities—MFA can be bypassed through phishing, SIM-swapping, or social engineering attacks, and biometric systems can be tricked. This means that having a strong, secure, and complex password remains a highly important aspect of defense, as it serves as the first barrier an attacker must overcome.
HIVE Security’s research shows that while longer passphrases are helpful, they are not sufficient on their own if they are not complex. People tend to be creatures of habit, and even with longer options, they might stick with predictable patterns. NIST’s guidelines offer a solid foundation, but they aren’t a one-size-fits-all solution. Regular risk assessments, monitoring for breaches, and employing MFA remain critical components of a robust password strategy, but they must be accompanied by strong password hygiene. By maintaining these fundamentals and not becoming complacent with any single layer of protection, organizations can build a resilient and adaptive security posture.
Conclusion
NIST’s new guidelines represent a much-needed modernization of password management. They move away from overly complicated requirements that frustrated users and didn’t necessarily improve security. By focusing on practical, user-friendly solutions like longer passphrases and eliminating unnecessary password changes, NIST aligns better with how people use and remember passwords in real-world scenarios. This shift is not just about improving security but also about improving compliance—when security measures are easier to follow, people are more likely to follow them.
However, it’s important to remember that no single set of guidelines will fit every situation perfectly. The new NIST rules are a strong foundation, but organizations should tailor them to their unique risk profiles and threat environments. Whether that means adding complexity back in, requiring occasional password changes for critical accounts, or pairing these measures with other layers like MFA and biometric authentication, the key is not to become complacent. Even with the best guidelines, strong and secure passwords remain an essential part of a layered security approach.
In the end, passwords are still a critical defense mechanism, and while the goal is to make them easier to manage without compromising security, organizations must remain vigilant. The balance between usability and security is a delicate one, and while NIST’s new rules make strides in the right direction, it’s up to each organization to assess their own risks and ensure that they build the most resilient password policies possible.
How Suridata Helps Build Stronger SaaS Security Postures
As organizations embrace NIST’s modern guidelines and move beyond traditional password management, it’s crucial to ensure that these improvements extend to SaaS ecosystems. Suridata’s SaaS Security platform provides comprehensive visibility into the risks posed by misconfigurations, third-party integrations, and user behavior across SaaS applications. With an agentless, non-intrusive approach, Suridata identifies weak points—such as missing or weak MFA requirements, non-idP user accounts, compromised credentials or unauthorized third-party access—enabling organizations to enforce security policies proactively. By continuously monitoring user activities, including password hygiene and access patterns, Suridata ensures that companies not only comply with best practices but also stay ahead of potential breaches across the entire SaaS environment.