Everything You Know About Passwords Is Wrong: NIST 2025 Guidelines Explained
Disclosure: This article contains affiliate links. We may earn a commission at no extra cost to you.
Remember when your IT department forced you to change your password every 90 days? Or when websites rejected your password because it didn't have a capital letter, a number, and a special character? Turns out, that advice was actually making us less secure.
In August 2025, the National Institute of Standards and Technology (NIST) released SP 800-63B Revision 4, their updated digital identity guidelines. And it flips decades of password advice on its head.
Here's what the US government's cybersecurity experts now say you should actually do with your passwords, and why everything you learned before was wrong.
Why this matters: NIST guidelines influence password policies worldwide. If your bank, employer, or government changes their password requirements, these guidelines are why. Understanding them helps you advocate for better security.
What NIST Says to Stop Doing
Let's start with the rules that should die. These are practices NIST now explicitly says organizations should NOT require.
Stop Requiring Character Composition Rules
From the official NIST SP 800-63B text:
"Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords."
That means no more mandatory uppercase letters. No required numbers. No forced special characters. The rule that created passwords like P@ssw0rd! is officially dead.
Why? Because composition rules don't actually make passwords stronger. They make them more predictable. When forced to include a capital letter, most people capitalize the first letter. Forced to add a number? They add "1" at the end. Special character? It's usually "!" or "@".
Attackers know this. Their password cracking tools try these patterns first. A password like P@ssw0rd! follows every composition rule but is cracked in seconds.
Stop Forcing Password Changes
Another rule from NIST:
"Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically."
The 90-day password rotation that IT departments have enforced for decades? NIST says stop. Only change passwords when there's evidence they've been compromised.
The research is clear: mandatory password changes lead to weaker passwords. When people are forced to change passwords frequently, they make minimal changes. Winter2024! becomes Winter2025!. MyPassword1 becomes MyPassword2. These sequential passwords are trivial to guess.
Worse, frequent changes encourage people to write passwords down, reuse them across sites, or create simpler passwords they can remember through multiple rotations.
The exception: Passwords should still be changed immediately if there's evidence of compromise. If a breach exposes your password hash, or if suspicious activity is detected on your account, change it right away.
Stop Using Password Hints
Those security questions like "What's your mother's maiden name?" or password hints you set during registration? NIST says those need to go too.
"Verifiers SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant."
Password hints and security questions are often easier to guess than the password itself. In the era of social media, your mother's maiden name, first pet's name, and childhood street are all findable on Facebook.
What NIST Says to Start Doing
Now for the positive recommendations. These are the practices that actually improve security.
Use Longer Passwords (15+ Characters)
The single most important change: length matters more than complexity.
"Verifiers and CSPs SHALL require passwords that are used as a single-factor authentication mechanism to be a minimum of 15 characters in length."
For accounts protected by multi-factor authentication (MFA), the minimum drops to 8 characters. But 15 is the new baseline for password-only accounts.
Why length? Math. A random 8-character password using all character types (uppercase, lowercase, numbers, symbols) has about 6 quadrillion possible combinations. Sounds like a lot, but modern GPUs can test billions of combinations per second. An 8-character password can be cracked in hours or days.
A 15-character password, even using only lowercase letters, has over 1.6 septillion combinations. That's billions of times harder to crack, even with powerful hardware.
| Password Type | Example | Crack Time* |
|---|---|---|
| 8 char, complex | P@ssw0rd |
Hours to days |
| 12 char, lowercase | purplemonkey |
Months |
| 15 char, mixed | correct horse bat |
Centuries |
| 20+ char passphrase | my cat loves pizza on fridays |
Heat death of universe |
*Approximate times using current GPU hardware against properly hashed passwords
Support Passphrases
NIST wants systems to support passphrases, not just passwords:
"Verifiers SHALL allow the use of all printable ASCII characters (including the space character), Unicode characters, and maximum lengths of at least 64 characters."
Spaces are explicitly allowed. Unicode characters (including characters from other languages) are allowed. This enables passphrases like:
my cat sleeps on the keyboard every nightcorrect horse battery stapleI love pizza with extra cheese 2025!
These are easier to remember than xK9#mP2$qL and significantly harder to crack.
Screen Passwords Against Breach Lists
This is a major new requirement:
"Verifiers SHALL compare the user-chosen password against a blocklist of compromised values including: passwords obtained from previous breach corpuses, dictionary words, and context-specific words such as the name of the service."
When you create a password, the system should check if it appears in known data breaches. Services like Have I Been Pwned provide APIs for this. If your chosen password is on the list, you should be required to pick something else.
This stops the most common attack vector: credential stuffing. Attackers take passwords from one breach and try them on other sites. If your password was in the LinkedIn breach, they'll try it on your bank.
Check your passwords: Visit Have I Been Pwned to see if your email or passwords have appeared in known data breaches. It's free and run by security researcher Troy Hunt.
Encourage Password Managers
NIST explicitly supports password managers:
"Verifiers SHALL allow the use of password managers and autofill functionality."
Systems should not block paste functionality in password fields. They should not prevent browser autofill. They should work smoothly with password managers like 1Password, Bitwarden, or Apple's iCloud Keychain.
Why? Because password managers solve the core problem: humans can't remember dozens of unique, strong passwords. Password managers can. They generate random passwords, store them securely, and autofill them when needed.
If your bank's website blocks paste in the password field, they're violating NIST guidelines and making you less secure.
Show Passwords When Requested
A small but important usability improvement:
"Verifiers SHOULD provide the option to display the password rather than masking it, to assist the user in successfully entering the password."
That "show password" toggle button? NIST says systems should have one. Being able to verify what you've typed reduces errors and the frustration of failed login attempts.
The Future: Passkeys
NIST's 2025 revision also embraces the future of authentication: passkeys (also called syncable authenticators).
"Syncable authenticators are cryptographic credentials that can be securely synchronised across a user's devices."
Passkeys are the technology behind "Sign in with Face ID" or "Sign in with fingerprint" prompts you're seeing on more websites. They use public-key cryptography, the same technology that secures HTTPS connections.
Here's how passkeys differ from passwords:
| Feature | Passwords | Passkeys |
|---|---|---|
| Storage | Server stores hash of your password | Server stores only public key |
| If breached | Attackers get password hashes to crack | Public keys are useless to attackers |
| Phishing | Fake sites can steal passwords | Cryptographically tied to real domain |
| Reuse risk | Same password on multiple sites is common | Each passkey is unique per site |
| User experience | Type, remember, forget, reset | Biometric or device PIN |
Apple, Google, and Microsoft all support passkeys. They sync across your devices through iCloud Keychain, Google Password Manager, or Windows Hello. When a website offers "Sign in with passkey," it's using this technology.
Passkeys aren't a complete password replacement yet, many sites don't support them, but NIST is signaling that this is the direction authentication is heading.
What You Should Do Now
Based on NIST's recommendations, here's how to improve your password security today:
1. Use a Password Manager
If you do nothing else, do this. A password manager lets you have a unique, random password for every site without remembering any of them.
Good options:
- Bitwarden: Free, open source, cross-platform
- 1Password: Excellent UX, good family plans
- Apple iCloud Keychain: Free if you're in the Apple ecosystem
- Google Password Manager: Free, built into Chrome
2. Create Long Passphrases for Master Passwords
Your password manager needs one strong master password. Make it a passphrase: at least 20 characters, easy to remember, hard to guess.
Good: my orange cat knocks things off tables
Bad: Tr0ub4dor&3
3. Enable Multi-Factor Authentication Everywhere
MFA (also called 2FA) means even if someone gets your password, they can't log in without your phone or security key. Enable it on:
- Email (most important, it's the recovery point for everything)
- Banking and financial accounts
- Social media
- Cloud storage
- Your password manager
Best MFA options: Hardware security keys (like YubiKey) are most secure, followed by authenticator apps (like Authy or Google Authenticator). SMS codes are better than nothing but vulnerable to SIM swapping attacks.
4. Enable Passkeys Where Available
Major services now support passkeys:
- Google accounts
- Apple ID
- Microsoft accounts
- PayPal
- eBay
- GitHub
- Many more (check passkeys.directory)
5. Check for Breached Passwords
Use Have I Been Pwned to check if your email or passwords appeared in breaches. Change any compromised passwords immediately.
6. Protect Your Privacy Online
Strong passwords are just one part of online security. You should also:
- Check what you're exposing at myip.foo
- Use a VPN like NordVPN to encrypt your connection
- Test for leaks with our DNS Leak Test and WebRTC Leak Test
- Install our free WebRTC Blocker extension
Common Questions
If complexity doesn't matter, can I use "aaaaaaaaaaaaaaaa"?
No. Passwords still need to be unpredictable. A 15-character string of the same letter, or a simple phrase like "passwordpassword", will be on breach lists and blocked. The point is that correct horse battery staple is better than Tr0ub4dor&3, not that all complexity is bad.
Should I change all my passwords now?
Only if they're weak (under 15 characters, on breach lists, or reused across sites). If you're already using a password manager with unique, random passwords, you're ahead of the curve. Focus on adding MFA where you haven't.
Why does my bank still require password changes?
Organizations are slow to update policies. NIST guidelines are recommendations, not laws. Many organizations have legacy systems or compliance requirements that haven't caught up. You can point them to NIST SP 800-63B if you want to advocate for change.
Are these guidelines just for the US?
NIST is a US agency, but their guidelines are highly influential globally. Many international standards (like ISO 27001) reference NIST. European and Asian organizations often adopt NIST recommendations. When NIST speaks, the security industry listens.
What if a site forces composition rules?
Use a password manager to generate a random password that meets their requirements. The site's rules might be outdated, but you can still create a strong password within their constraints. A random xK9#mP2$qL7@nB4! is still strong, it's just harder to remember manually (which is why password managers matter).
Conclusion
NIST's 2025 password guidelines represent a major shift in security thinking. The old rules, complexity requirements, forced rotations, security questions, actually made us less secure by encouraging predictable behavior.
Key takeaways:
- Length beats complexity: use 15+ character passphrases
- Stop changing passwords on a schedule (only change when compromised)
- Use a password manager for unique passwords everywhere
- Enable multi-factor authentication on important accounts
- Try passkeys where available (they're the future)
- Check your passwords against breach databases
The goal isn't to make passwords harder to use. It's to make them harder to attack. A passphrase you can remember is better than a complex password you write on a sticky note. A unique password from a manager is better than the same strong password on every site.
Improve your security today:
The next time your IT department tells you to change your password because it's been 90 days, send them NIST SP 800-63B. The US government's cybersecurity experts are on your side.