NIST Password Guidelines 2025: What Changed and What It Means for You
NIST SP 800-63B updated its guidance. Mandatory rotation is out. Length beats complexity. Here is what changed and what it means for your password policy.
The key changes in the 2024/2025 revision
NIST SP 800-63B-4 made several significant updates: - Mandatory periodic rotation is explicitly discouraged - Length is prioritised over complexity rules - Passwords must be checked against known-breached lists - SMS OTP is deprecated as a sole second factor - Unicode characters must be accepted in passwords
Length beats complexity โ the math
A 16-character password using only lowercase letters has more entropy than an 8-character password using all character classes. The intuition is correct: more characters from any pool beats fewer characters from a larger pool at the lengths typical policies mandate.
Practical implications for your password policy
Remove mandatory rotation schedules. Replace them with rotation-on-compromise policies.
Remove arbitrary composition rules. Instead, require a minimum length of 12-16 characters and check all new passwords against a breached password database.
Allow spaces and special characters without restrictions.
