NIST Releases New Password Rules: What Does It Mean for You?

NIST Releases New Password Rules

NIST Releases New Password Rules: What Does It Mean for You?


The National Institute of Standards and Technology (NIST) recently proposed new password guidelines that validate what many managed service providers have been recommending for years.

The goal is to eliminate outdated methods that, at face value, appear to improve security but lead to people using predictable and weaker password patterns.

What are the Updated Password Guidelines?

For a full list of NIST’s recommendations for online service providers, click here. Here are our key takeaways:

  • Don’t make symbols, numbers and uppercase letters mandatory: Stop forcing users to create complicated passwords with arbitrary rules.
  • Less frequent password changes: Don’t force password changes every 30, 60 or 90 days.
  • Longer passwords: Passwords should be at least 15 characters.

“While these guidelines are meant for online service providers and not designed to tell you how to create passwords, there are some takeaways you can implement into your password habits.”

Why Does This Matter?

For the longest time, complexity has been at the root of selecting secure passwords. Forcing you to create a password with at least one lowercase letter, one uppercase letter, a number and a symbol makes it very difficult for a hacker or program to crack.

But when people are forced to abide by these rules and then forced to change that password regularly, they tend to create patterns that seem secure and unique on paper but aren’t.

How many times have you been forced to change your password only to add one number, one symbol, the month or the year at the end of your original password? Hackers know these tricks, and it doesn’t make your accounts more secure.

Instead, you should try to create longer passwords (or passphrases) that are easier to remember and satisfy the 15-character or higher recommendation. A passphrase like “GreenPhoneTurkeyDrive” is much stronger than “P@$$W0rD2024,” easier to remember and doesn’t fall into a pattern that can be easily guessed.

The point is to stop relying on complexity and start focusing on length and uniqueness.

What Should You Do Now?

While these guidelines are meant for online service providers and not designed to tell you how to create passwords, there are some takeaways you can implement into your password habits.

  • Create long passwords: Avoid short, weak passwords and strive for at least 15 characters. Consider passphrases that are easier to remember.
  • Stop changing passwords unless you have to: Only change your password after a data breach. As noted, changing your password regularly usually leads to weak, predictable patterns anyway.
  • Use a password manager: If you’ve got too many passwords to remember, try a password manager. There are free versions of LastPass, Bitwarden, KeePass and Dashlane that can generate secure passwords for you and store them safely.

Keep Your Organization’s Data Secure

Need help improving your password security or finding the right tools for your business? Contact us here to see how we can help keep your business running smoothly while increasing productivity, security and profitability.

Did you like this blog? You can subscribe to our newsletter to receive a weekly email with our latest blog posts.

Share this post