Category: Uncategorized

New NIST Password Guidelines: Simpler, Stronger, and More Secure

What It Means for Your Business

Keeping your company’s digital assets secure is more important than ever, and the National Institute of Standards and Technology (NIST) recently updated its guidelines to simplify and strengthen password management. These changes are designed to make security more effective and less of a headache for businesses like yours.

Simpler, More Secure Passwords

NIST’s latest recommendations (SP 800-63-4) may surprise you: they’ve eliminated the need for complex passwords that mix uppercase letters, numbers, and symbols. While it may seem counterintuitive, these overly complicated rules often lead to weaker security practices. People end up creating predictable passwords like “Password123!” or writing down difficult-to-remember passwords, which compromises security.

Instead, the focus is now on longer passwords. Your passwords should be a minimum of 8 characters but ideally closer to 15. The longer the password, the harder it is for cybercriminals to crack—and the easier it is for your team to remember without having to resort to post-it notes or recycled passwords.

No More Forced Password Resets

A common complaint from employees is having to change passwords every few months, often resulting in weaker, more predictable passwords. NIST now advises against mandatory periodic password resets unless there’s a breach or evidence of compromise. This is good news for businesses: your employees can focus more on their work and less on creating new passwords that are slightly different from the old ones.

Phasing Out Security Questions

Gone are the days of using questions like “What was your first pet’s name?” as a backup security measure. These questions are easy to guess or look up, and NIST now recommends avoiding them altogether. Instead, there are better ways to protect your accounts, like multi-factor authentication (MFA).

What You Should Do Now

  1. Encourage Stronger Passwords: Start recommending that your team use passphrases—long, memorable phrases that are difficult to crack. Something like “A Day at the Beach with Friends” is far more secure than a short, complex password like “P@ssw0rd!”
  2. Use a Password Manager: Many businesses still keep passwords in spreadsheets or notes apps, but this is risky. Password managers can securely store and generate passwords, and they can even autofill them for your team when logging into accounts. If your company hasn’t already adopted one, we highly recommend services like Bitwarden, or even built-in solutions from Apple and Google.
  3. Monitor for Breaches: Password resets should only be required in the event of a data breach. If a breach happens, change passwords immediately and consider freezing credit with major reporting agencies if sensitive information was exposed. We’re here to help with any of these steps and can guide you through best practices to ensure your data remains safe.

The Future of Passwords

Cybersecurity experts are pushing for a future where passwords become a thing of the past, replaced by passkeys and biometric authentication. Passkeys use secure encryption and work with face or fingerprint recognition, so users don’t have to remember anything. Major companies like Google and Microsoft are already embracing this shift.

While passwords aren’t going away just yet, these changes from NIST are an important step forward in making your business’s digital identity more secure without adding unnecessary complexity.


These updates from NIST reflect a more modern, effective approach to securing your business’s digital identity. We’re here to help you understand how these changes can be implemented in your own environment, and we can assist in setting up systems like password managers or MFA to strengthen your security posture.