The latest update to the NIST password recommendations(nuova finestra) is here, and they’re changing how we approach passwords with usability taking precedence over complexity.
Should you care? Yes. The NIST guidelines don’t just reflect the best practices everyone should adhere to, but they also influence security compliance. Falling behind these guidelines could mean non-compliance with regulatory frameworks like HIPAA, GDPR, and GLBA — risking failed audits and costly penalties. This guide will help you understand the key changes and how best to implement them in your business.
What are NIST password guidelines?
The NIST password guidelines are security standards published by the National Institute of Standards and Technology(nuova finestra), a US federal agency. These guidelines form the foundation of password policies across industries, and in some sectors, like government, they’re compulsory.
The guidelines are created based on real-world research and are not merely assumptions about password security. This is why major compliance frameworks are often shaped by NIST password recommendations, and why implementing them strengthens your security posture and regulatory compliance.
2025 NIST password requirements
Here’s a quick rundown of the updated NIST password requirements:
1. Use longer passwords
The NIST recommends a minimum password length of 8 characters and a maximum of 64 characters. Longer passwords are harder to hack, as they tend to be more unique than short but complex passwords that often follow a predictable pattern.
2. Drop complexity requirements
Building on the above guideline, special character requirements result in complex passwords that, unfortunately, lead to predictable patterns that hackers can easily guess. Instead, accept all types of characters, including spaces, and encourage employees to come up with unique and memorable phrases, also known as passphrases, for their passwords.
3. No more forced password resets
The only time a forced password reset should be enforced is when there is evidence of a compromise. Otherwise, forcing employees to reset their passwords every few months is considered bad practice, as the NIST has found that it actually makes password security weaker.
4. Maintain a password blocklist
The NIST recommends that businesses maintain a password blocklist to prevent the use of easily exploited passwords such as “1234” or passwords that feature variations of the employee’s or business’s name. Additionally, it recommends using password-checking services to ensure that employees don’t use compromised passwords that have been exposed in breaches.
5. Eliminate security questions and hints
Knowledge-based recovery hints and questions, such as “What is your first pet?”, are an outdated practice. These answers are easily obtainable through social media. Instead, rely on secure recovery methods such as recovery links and verification codes during resets.
6. Use modern security tools
Limiting the number of failed login attempts, requiring the use of multi-factor authentication (MFA), and utilizing tools such as an enterprise password manager provide crucial protection against modern cyber threats and help detect compromise.
How have the NIST password requirements changed?
| Old NIST password guidelines | New NIST password guidelines | |
| Password length | Limit to 8-16 characters | Longer passwords up to 64 characters |
| Character complexity | Encouraged | Not required |
| Mandatory password changes | Required monthly | Only when compromised |
| Password blocklist | Basic terms | Breached passwords, patterns, and common variations |
| Recovery methods | Security questions | Links and verification codes |
| Additional precautions | – | MFA and password managers |
How to implement the NIST password recommendations
Implementing the updated NIST password recommendations is crucial for maintaining compliance with regulatory frameworks. Even if you aren’t bound by these frameworks, these guidelines will improve your security posture and safeguard your business. Here’s how to implement them.
- Conduct an audit: Review existing policies against the new NIST guidelines to identify outdated requirements to update.
- Update your systems: Reconfigure authentication systems according to the new guidelines, such as allowing for longer passwords and no expiration windows.
- Build your blocklist: Implement screening against breach databases to build out your blocklist. Additionally, include employee or company-specific terms and variations and common patterns in your blocklist.
- Strengthen security layers: Implement measures like limiting login attempts and delaying reattempts, and use MFA to provide additional protection.
- Use password management tools: Equip employees with tools like a password manager to automate password creation and storage. These tools eliminate password reuse and ensure good password practices.
- Communicate changes: Explain the changes to your employees, and, where necessary, conduct training on the use of password management tools.
Use Proton Pass to stay compliant with NIST password guidelines
Proton Pass is a business password manager that simplifies compliance with NIST password guidelines. Built with privacy in mind and fully protected with end-to-end encryption, you can easily manage all your password needs with greater peace of mind.
Many of Proton Pass’s features meet the NIST password recommendations — you can generate long and unique passwords, automate logins, and enforce security policies like 2FA. Proton Pass also empowers your teams with a tool that makes adhering to these guidelines the path of least resistance. It is also fully compliant with GDPR, HIPAA, and other data protection standards, simplifying your compliance process.
Frequently asked questions
Where can I read the full NIST password guidelines?
You can find the full NIST password guidelines(nuova finestra) on the NIST website.
Are the NIST password requirements mandatory for all businesses?
The NIST password requirements are mandatory for federal agencies. For other businesses, the guidelines are not mandatory, but they may become necessary through compliance frameworks such as HIPAA and others. Auditors and contractors may also require NIST compliance.
According to the NIST password recommendations, how long should a password be?
NIST recommends that passwords be at least eight characters in length, with a maximum of 64 characters. It encourages passwords or passphrases of longer length over complexity, as they tend to be more unique and harder to hack.
How do I create a strong password?
The key to creating a strong password is to avoid predictable patterns, identifiable information, and reused passwords. Use long and unique passwords that combine random words into long phrases, like “lava-milk-nose-noise”, or phrases and sentences that are meaningful to you. A password manager can also automatically generate a strong password for you.
Still uncertain about how best to create a long, strong password and don’t want to sign up for a password manager? Use our password generator tool instead.
How do password managers fit into NIST password guidelines?
A password manager like Proton Pass helps businesses comply with the NIST password guidelines by generating long, unique passwords and eliminating reused passwords. In fact, the NIST guidelines call out password managers as an effective tool for creating strong passwords and recommend their use.
Proton Pass takes this compliance further. Aside from generating long, unique passwords for your employees, it also automates logins and enforces security policies like 2FA and is end-to-end encrypted, meaning no one can gain unauthorized access to your passwords.
