Most organizations have password policies. Most of them are terrible.
They require uppercase, lowercase, numbers, symbols, and rotation every 90 days. Users hate them. IT hates them. And according to NIST—the organization that originally recommended this approach—they're actively counterproductive.
Here's what NIST actually recommends now, and why it matters.
What Changed
In 2017, NIST updated their Digital Identity Guidelines (SP 800-63B), and the changes were significant:
Out: Mandatory complexity rules (uppercase, symbols, etc.) In: Minimum length of 8 characters, with longer being better
Out: Forced periodic rotation (every 90 days) In: Change passwords only when there's evidence of compromise
Out: Arbitrary composition rules In: Check passwords against known breach lists
The reasoning is simple: the old rules created passwords that were hard for humans to remember but easy for computers to crack. "P@ssw0rd1!" satisfies every complexity rule and takes about 0.2 seconds to crack.
Length Beats Complexity
A 16-character passphrase like "correct-horse-battery-staple" is orders of magnitude more secure than "P@ssw0rd1!" while being far easier to remember.
Why? Because password cracking is about search space. Every additional character multiplies the possibilities exponentially. A dictionary word with symbol substitutions follows predictable patterns. A genuinely long passphrase—even if it's just random words—doesn't.
Why Rotation Hurts Security
Mandatory password rotation sounds like good hygiene. In practice, it creates terrible behavior:
- Users increment numbers: Password1 → Password2 → Password3
- Users write passwords down because they can't remember the current one
- Users reuse the same base password across systems with minor variations
- Password resets spike immediately after rotation deadlines
NIST's current guidance: don't force rotation unless there's evidence of compromise. A strong password that hasn't been breached is better than a weak password that was changed yesterday.
Check Against Breach Lists
Here's something most password policies miss: checking whether a password has appeared in previous breaches. Services like Have I Been Pwned maintain lists of billions of compromised passwords.
If a user tries to set their password to "Summer2024!" and that exact string appears in 47 previous breaches, they shouldn't be allowed to use it—regardless of how "complex" it looks.
Modern identity providers (Okta, Azure AD, etc.) can integrate breach-list checking. If yours can, turn it on.
What Good Policy Looks Like
Based on current NIST guidance:
- Minimum 12 characters (longer is better; 16+ for privileged accounts)
- No complexity requirements (let users choose what works for them)
- Screen against breach lists (block known-compromised passwords)
- No forced rotation (unless there's evidence of compromise)
- Require MFA everywhere (passwords alone aren't enough)
That last point is crucial. NIST's guidance on passwords is paired with strong recommendations for multi-factor authentication. The best password in the world doesn't help if someone gets it through phishing. MFA provides defense in depth.
The Password Manager Solution
Here's my practical advice: use a password manager.
Password managers solve the human memory problem. They generate truly random passwords, store them securely, and auto-fill them when needed. Users only need to remember one strong master password (which should be a long passphrase).
Recommended options:
The organizational version: deploy a team password manager, require its use for all work accounts, and set the master password requirements to align with NIST guidance (long passphrase, checked against breaches, MFA enabled).
The Audit Conversation
When an auditor asks about your password policy, here's what you want to be able to say:
"We require minimum 12-character passwords, screen them against breach lists, enforce MFA on all accounts, and don't force rotation unless there's evidence of compromise. This aligns with current NIST SP 800-63B guidance."
That's a defensible, modern password policy that actually improves security instead of just creating the appearance of it.
Security awareness training should teach people why these practices matter, not just what the rules are. Our Training platform delivers practical security guidance directly in Slack. Learn more.
