Though it’s taken 13 years for NIST, the U.S. National Institute of Standards and Technology to catch up, here are the new guidelines.

For consumers and business users, the new 2025 NIST password guidelines represent a major shift toward simpler, more user-friendly, and more effective password practices that emphasize length and usability over complexity. The changes will gradually influence nearly all online services, as businesses and government agencies adopt these best practices to strengthen digital security.

Key Takeaways for Consumers

The updated NIST guidelines state that:

  • Password complexity rules are no longer required. You don’t need to mix random uppercase, numbers, and symbols unless you want to. Instead, focus on length and uniqueness.
  • Password length is the main defense. Longer passphrases are more secure and easier to remember. NIST recommends:
    • At least 15 characters if the password is the sole method of login.
    • At least 8 characters for accounts that use multi-factor authentication (MFA).
    • Systems should accept passwords up to 64 characters and support spaces or words, allowing users to create long phrases like “purpleblueskyscraperbike”.
  • No more regular password resets. Passwords only need to be changed when there’s evidence of compromise or a security breach, which prevents weaker replacements caused by forced resets.
  • Password hints and security questions are discouraged, as personal details are easily available online. Recovery should instead use secure codes or recovery links.
  • Password “blocklists” are required. Weak or previously breached passwords like “Password1!” must be automatically rejected.
  • Multi-factor authentication and password managers are strongly recommended to enhance security and usability.

What This Means for You

For ordinary users, the NIST updates mean password creation and management will become easier and more secure over time:

  • You can focus on creating long memorable phrases instead of complex, short combinations.
  • You won’t have to change your password every few months, reducing frustration while improving consistency.
  • Many websites and apps will begin implementing password strength checks and breach screening, automatically warning you if your password is too weak or has been exposed.
  • Expect more platforms to support password managers and passkeys, with fewer old-style recovery questions.

Ultimately, this means online accounts will become easier to maintain and significantly harder for hackers to break, while reducing the headache of frequent resets and arbitrary complexity rules.

Link to the NIST password document:
https://pages.nist.gov/800-63-4/sp800-63b.html

Deliver David's Tech Talk to my inbox

We'll send David's weekly Tech Talk to your inbox - including the MP3 of the actual radio spot. You'll never miss a valuable tip again!