Updated Password Guidance from NIST
The National Institute of Standards and Technology (NIST) has released updated password guidance that significantly reshapes how organizations should think about user authentication. The revisions, part of NIST Special Publication 800-63B Revision 4, were finalized in July 2025 and place new emphasis on usability, practicality, and real-world security. For firms managing sensitive financial data, these updates are worth noting.
Key Changes in the 2025 Guidelines
- Minimum Password Length: NIST now recommends a minimum of 15 characters for user-created passwords, replacing older eight-character minimums. The focus has shifted toward memorable passphrases rather than complex strings of random symbols.
- No Forced Complexity: Requirements to include uppercase, lowercase, numbers, and special characters are being phased out. Instead, NIST encourages the use of any printable characters, including spaces, so users can create strong but natural phrases.
- No Mandatory Periodic Changes: Mandatory periodic password changes are discouraged unless there’s a known or suspected compromise, as forced resets often lead users to weaker patterns.
- Screening Against Compromised Credentials: Organizations should screen new passwords against lists of commonly used or compromised credentials before acceptance.
- No Password Hints or Static Security Questions: NIST advises against password hints and static security questions due to their vulnerability to social engineering.
- Multifactor Authentication (MFA): NIST strongly recommends MFA, as passwords alone are no longer enough to protect accounts containing sensitive information. When properly implemented in conjunction with MFA, NIST indicates that passwords can be as short as eight characters to provide the recommended level of effectiveness.
Beyond the core password policy changes, NIST’s updated guidance includes several additional recommendations aimed at strengthening authentication systems and improving user experience. These enhancements reflect a broader shift toward security measures that are both effective and user-friendly. Organizations implementing these standards should consider the following best practices to ensure full alignment with NIST’s evolving framework:
- Password Storage: NIST requires passwords to be stored using salted, one-way hash functions. Plain text storage is strictly prohibited.
- User Experience: Password guidance now emphasizes reducing user frustration. For example, NIST recommends allowing users to paste passwords into fields, supporting password managers.
- Breach Response: Organizations should have procedures to quickly respond to password-related breaches, including notifying affected users and requiring password resets only when compromise is confirmed.
- Education and Support: Organizations should educate users about creating memorable passphrases and the risks of password reuse across multiple sites.
Together, these updates reflect NIST’s commitment to modernizing digital identity protection by balancing security with usability. By moving away from outdated practices like forced complexity and frequent password changes, and instead emphasizing longer passphrases, breach screening, and multifactor authentication, the guidance offers a more practical and effective framework for safeguarding sensitive data. Organizations that adopt these recommendations not only strengthen their security posture but also improve the overall user experience—an increasingly important factor in today’s digital landscape.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.
