COMPLIANCEFebruary 19, 2025·9 min read

NIST Password Guidelines 2025: What Changed and What It Means for You

NIST SP 800-63B updated its guidance. Mandatory rotation is out. Length beats complexity. Here is what changed and what it means for your password policy.

What NIST SP 800-63B actually says in 2025

NIST Special Publication 800-63B is the de facto standard for digital identity management in the US. The 2024-2025 revision (63B-4) made changes that directly contradict what most IT departments still enforce. Here are the key updates.

No more mandatory rotation

NIST explicitly recommends against periodic password expiration unless there is evidence of compromise. The reasoning: forced rotation leads to weak, predictable patterns ("Password1!" becomes "Password2!" at the next rotation). Users who are forced to change passwords every 90 days converge on the weakest password the policy will accept. NIST now says: only require a change when you know or suspect compromise.

Length is the primary strength measure

NIST 800-63B-4 requires a minimum of 8 characters but strongly recommends allowing up to 64 characters. More importantly: NIST says verifiers should not impose composition rules (mandatory uppercase, symbols, etc.). Length is the dominant factor in password strength — a random 16-character lowercase password is significantly stronger than an 8-character password with uppercase, numbers, and symbols.

Breach checking is now required

Section 5.1.1.2 of 800-63B requires that passwords be checked against lists of commonly used, expected, or compromised passwords during creation and reset. This is no longer optional guidance — it's a requirement. Acceptable checks include known breach corpuses like Have I Been Pwned, dictionary word lists, and contextual words (username, site name).

No more SMS-only 2FA for high-value accounts

NIST has downgraded SMS as a second factor to "restricted authenticator" status — it's no longer acceptable as the sole second factor for high-assurance use cases. Authenticator apps, hardware tokens, or push-based 2FA are the recommended path for sensitive systems.

The practical implication for your organisation

If your IT policy still requires 90-day rotation, mandatory symbols, and blocks passwords over 12 characters, it's now out of step with NIST guidance. PassGeni's Policy Generator produces NIST 800-63B aligned password policies for free — with citations and implementation guidance. Use it to update your written policy and bring your enforcement in line with the current standard.

Key topics
NIST SP 800-63Bpassword policymandatory rotationpassword lengthcompliance
Was this post useful?
Frequently asked questions

Questions about this topic

Does NIST still recommend mandatory password rotation?

+

What minimum password length does NIST recommend?

+

Should I still use complexity rules?

+
More posts

Related reading

PCI-DSS v4.0 Raised the Password Bar. Here's What You Missed.

8 min read →

Enterprise Password Policy Template: Copy-Paste and Customise

11 min read →

Password Security in Education: K-12 and Higher Ed Guide

7 min read →