For decades, IT security policies demanded passwords with uppercase letters, numbers, symbols, and forced changes every 90 days. These rules came from a 2003 NIST appendix that its own author later admitted were wrong. In 2017, NIST reversed course. In 2024, they went further. Here's what the current guidelines actually say.
What Is NIST SP 800-63B?
NIST Special Publication 800-63B is the U.S. National Institute of Standards and Technology's digital identity guidelines, specifically covering authentication. Published in 2017 and updated in 2024, it represents the gold standard for password policy guidance — followed by U.S. federal agencies and adopted widely by private organizations.
The Old Rules That NIST Killed
If you've worked in corporate IT, you know these rules. NIST explicitly recommends against all of them:
❌ Mandatory password complexity rules
Requiring uppercase + lowercase + digit + symbol doesn't actually increase security — it just produces Password1!. Users predictably add a capital at the front, a number at the end, and an exclamation mark. Attackers know this. Rule-based password cracking explicitly targets this pattern.
❌ Mandatory periodic rotation
Forced 90-day password changes produce Winter2025! → Spring2026!. Research consistently shows that forced rotation leads to weaker, more predictable passwords, not stronger ones. NIST says: change passwords only when there's evidence of compromise.
❌ Password hints and security questions
Security questions ("What was the name of your first pet?") are answered with public or guessable information. NIST prohibits hints and knowledge-based authentication for anything sensitive.
❌ Restricting special characters
Allowing only certain characters reduces the character set and thus the entropy. NIST requires accepting all printable ASCII and Unicode characters, including spaces.
What NIST Actually Recommends
✓ Length over complexity
NIST recommends a minimum of 8 characters, with a recommended minimum of 15 characters for user-chosen passwords. Length is the dominant factor in password strength. Systems must support passwords of at least 64 characters.
✓ Check against breach databases
When users set or change passwords, systems should check against known breached password lists (like the HaveIBeenPwned database). A password may be technically complex but appear in breached credential databases — making it trivially crackable via dictionary attack.
✓ No knowledge-based authentication for sensitive systems
Security questions are not acceptable as a second authentication factor for anything important. Use TOTP, hardware keys, or push notifications instead.
✓ Allow paste in password fields
Preventing paste in password fields forces users to type passwords manually, which discourages the use of strong, long passwords and password managers. NIST explicitly requires allowing paste.
✓ Show password option
Users should be able to reveal their typed password to check for typos. Hidden passwords often cause login failures, frustration, and — ironically — weaker password choices.
✓ Multifactor authentication (MFA)
For anything sensitive, passwords alone are insufficient. NIST strongly recommends MFA, with hardware security keys (FIDO2/WebAuthn) as the strongest option.
The 2024 Update: What Changed?
NIST SP 800-63B revision 4 (finalized 2024) made these changes explicit and strengthened several recommendations:
- Verifiers (services) shall not impose composition rules — this moved from "should not" to "shall not"
- 15-character minimum recommended — increased from the prior soft guidance of 8
- Phishing-resistant MFA required for high-value accounts — FIDO2 hardware keys explicitly preferred
- Deprecated SMS OTP for sensitive use cases — SIM swapping attacks make SMS 2FA insufficient for high-assurance scenarios
What This Means in Practice
If you're setting password policy for an organization:
- Set minimum length to 15 characters, allow up to 64+
- Accept all printable characters including spaces and Unicode
- Check new passwords against breach databases
- Remove mandatory rotation (only force changes on evidence of compromise)
- Remove complexity rules
- Require MFA for privileged accounts
- Allow paste in password fields
If you're a regular user: use a password manager, generate random 16–20 character passwords for every account, and enable 2FA everywhere it's offered.