Passwords are an inherently flawed security measure in an era of constant phishing attacks and massive data leaks. This guide breaks down the latest recommendations from the National Institute of Standards and Technology (NIST) and shows how to improve security with longer passwords, smarter tools, and modern authentication methods.

Why should your business listen to NIST?

NIST is a US government agency that sets cybersecurity standards. Although originally created for federal agencies, its influence now extends to the private sector. Industries that handle sensitive data, such as healthcare, finance, and software, often adopt NIST guidelines because they are based on rigorous real-world testing and an understanding of human behavior.

In fact, many modern compliance frameworks, including HIPAA and SOC 2, now incorporate NIST’s approach to identity management, establishing its recommendations as the gold standard for any security-conscious business.

Outdated practices vs. new NIST standards

To strike a balance between security and ease of use, organizations must abandon old password policies and adopt NIST’s latest password security guidance.

Prioritize password length over complexity

One of the biggest changes in password security is the move from strict complexity rules. This means organizations no longer need to require combinations of uppercase letters, numbers, and symbols. The reason is simple: users find predictable ways to meet these rules (e.g., “Password123!”), making passwords incredibly easy to guess.

Length is now the most important factor in password security. Longer passwords are harder for cybercriminals to crack, even with powerful hardware. While NIST guidelines suggest a minimum of eight characters for standard accounts, security experts recommend 12 to 16 characters for a better balance of security and usability.

To support this shift, systems should now accommodate passwords up to 64 characters long, enabling users to create memorable passphrases. A passphrase, which is a string of unrelated words (e.g., “bluecoffeetrainsunset”), is now considered one of the most secure and user-friendly authentication methods. Because they are easier to remember and significantly harder to crack than short, complex passwords, passphrases offer superior security and convenience.

Furthermore, NIST now mandates that systems accept all printable ASCII characters, spaces, and Unicode symbols. This allows users to create longer, more memorable passphrases using native language characters or even emojis, which can also help reduce the frequency of password reset requests.

End forced password resets

Mandatory password changes every 60 or 90 days are an outdated practice. This policy often leads to security fatigue, prompting users to create weaker, more predictable passwords.

Instead, NIST now recommends a more practical approach:

• Require password changes only when there’s evidence of a compromise.
• Actively monitor accounts for suspicious activity.
• Trigger password resets based on actual risk, not a fixed schedule.

Screen passwords and monitor for compromised credentials

Attackers often rely on leaked password lists rather than randomly guessing. That’s why the NIST recommends organizations do the following:

• Block the use of common passwords (e.g., “123456”).
• Prevent employees from using passwords exposed in past breaches.
• Continuously monitor for exposed credentials.

Use password managers

Since every account needs a long, unique password, remembering them all is practically impossible. That’s why NIST highly recommends the use of password managers. These tools act as a secure digital vault, generating and autofilling strong passwords so your team doesn’t have to.

Beyond the password: MFA and biometrics

Passwords alone aren’t enough to ensure security. NIST recommends that when a password is required, it must be paired with an extra layer of verification:

Phishing-resistant MFA

Multifactor authentication (MFA) fortifies accounts by requiring more than just a password for account access. However, NIST now advises against using SMS text codes for MFA, as hackers can intercept these. Instead, they recommend using authenticator apps or hardware security keys (small USB tokens). With these methods, the “key” to your account remains securely on your physical device.

Safe and accurate biometrics

For biometric security such as facial recognition and fingerprint, NIST sets high standards for:

• Accuracy: Systems must have a false match rate of less than 1 in 10,000 to ensure reliability.
• Privacy: Your actual fingerprint or face image is never stored. Instead, the system generates a unique digital map (a template) and immediately deletes the original biometric data, protecting your identity.

Connect with our experts to bolster your cyber defenses against emerging threats and explore the future of password security.