Skip to content

What does modern NIST 800-63B guidance say about passwords?

Short answer

Modern NIST SP 800-63B favors length over complexity: allow long passphrases (at least 8, support 64+), accept all characters including spaces, and don't impose composition rules like 'one uppercase, one symbol.' Screen new passwords against known-breached lists, drop mandatory periodic expiration (rotate only on evidence of compromise), and ditch knowledge-based 'security questions.' The aim is rules that resist real attacks instead of just annoying users into predictable patterns.

The old advice — "8 characters, one uppercase, one number, one symbol, change it every 90 days" — turned out to make passwords worse. NIST SP 800-63B rewrote the guidance around what actually resists attacks.

Length beats complexity

The headline change: prioritize length, not composition. Require a reasonable minimum (at least 8), but support long passphrases (64+ characters) and accept all printable characters, including spaces and emoji. A long, memorable passphrase has far more entropy and is easier to remember than P@ss1! — which composition rules merely nudge everyone toward.

Critically, NIST says do not impose composition rules ("must contain..."). They predictably push users into the same weak patterns (Password1!) that attackers' cracking rules already expect.

Screen against breached passwords

When a user sets or changes a password, check it against a list of known-compromised passwords (e.g. from public breach corpuses) and reject matches. This directly blunts credential stuffing, where attackers replay leaked passwords. It's higher-value than any composition rule.

Stop forced periodic expiration

NIST removed mandatory periodic rotation. Forcing 90-day changes just produces Spring2026!Summer2026!. Instead, rotate only on evidence of compromise. Routine expiration adds friction without security.

Other modern dos and don'ts

  • Allow paste and password managers — they enable strong, unique passwords.
  • Drop knowledge-based "security questions" ("first pet") — the answers are guessable or OSINT-findable.
  • Offer a "show password" toggle and don't truncate silently.
  • Most importantly, layer MFA — ideally phishing-resistant — because no password policy alone is sufficient.

What interviewers look for: you state length-over-complexity, breached-password screening, and no forced expiration, and you can explain why the old rules backfired — they optimized for looking secure rather than resisting cracking and stuffing.

Likely follow-ups

  • Why does forced complexity often weaken passwords in practice?
  • Why did NIST drop mandatory periodic password expiration?
  • What's the value of checking against a breached-password list?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.