Passlore

NIST Password Guidelines 2025: What Changed?

6 min readPasslore Team

Review the latest NIST password guidelines and what they mean for your security practices. Modern recommendations may surprise you.

Illustration for NIST Password Guidelines 2025: What Changed?

The National Institute of Standards and Technology (NIST) has significantly updated password guidelines in recent years, abandoning many long-held practices in favor of evidence-based recommendations.

Key Changes from NIST

  • Drop periodic password changes — only change when compromised
  • Allow long passwords (64+ characters) and passphrases
  • Remove arbitrary complexity requirements
  • Check passwords against known breached password lists
  • Emphasize multi-factor authentication over password complexity

Why Forced Password Changes Hurt Security

Research shows that mandatory password rotation leads to predictable patterns. Users increment numbers, change single characters, or use variations. Attackers know these patterns.

Length Over Complexity

NIST now emphasizes length over arbitrary complexity rules. A 20-character lowercase password is stronger than an 8-character password with mixed character types.

Breach List Checking

Organizations should check new passwords against databases of known compromised passwords. If a password appears in a breach, it should be rejected regardless of its apparent complexity.

The NIST guidelines represent a shift from security theater to evidence-based practices that actually improve security outcomes.

Topics

NIST password guidelinespassword policysecurity standards

More guides on entropy, passphrases, and zero-knowledge checks — all in one place.

View all posts