WIN FIFA World Cup™ tickets! Raffle closes in:

WIN FIFA World Cup 2026™ tickets! Enter now

Sign up now
Wc2026 Mobile
  • What are NIST password guidelines?
  • What changed in the latest NIST password guidelines?
  • Key requirements of NIST password guidelines in 2026
  • How to implement NIST password guidelines
  • Password security best practices
  • FAQ: Common questions about NIST password guidelines
  • What are NIST password guidelines?
  • What changed in the latest NIST password guidelines?
  • Key requirements of NIST password guidelines in 2026
  • How to implement NIST password guidelines
  • Password security best practices
  • FAQ: Common questions about NIST password guidelines

New NIST password guidelines: What changed and how to stay compliant

Featured 30.06.2026 12 mins
Shauli Zacks
Written by Shauli Zacks
Ana Jovanovic
Reviewed by Ana Jovanovic
Sam Boyd
Edited by Sam Boyd
nist-password-guidelines

The National Institute of Standards and Technology (NIST)’s current password guidance discourages forced periodic password changes, password hints, security questions, and arbitrary composition rules. It instead emphasizes longer passwords, blocklist screening for compromised or commonly used passwords, rate limiting, password managers, and phishing-resistant authentication options.

In this guide, we’ll break down the current NIST password guidelines for 2026, including what changed in the latest revision, what matters most, and how to build a password policy that improves security without making life harder for users.

What are NIST password guidelines?

NIST password guidelines are part of NIST’s broader Digital Identity Guidelines. They explain how organizations should handle authentication, including passwords, passkeys, one-time codes, multi-factor authentication (MFA), account recovery, and secure authenticator management.

These guidelines set requirements for federal digital identity systems, but many companies, security teams, and compliance professionals also use them as a trusted baseline.

For password policies, the relevant standard is NIST Special Publication 800-63B-4, published in July 2025. It focuses on authentication systems that reduce security risks without relying on frustrating password requirements or leading to weaker habits.

NIST also publishes the broader cybersecurity framework, which helps organizations understand and manage cybersecurity risk beyond passwords and authentication.

Overview of NIST

The National Institute of Standards and Technology (NIST) is a U.S. government agency within the Department of Commerce. It develops measurement science, technical standards, and guidance that support security, reliability, and innovation across many industries.

NIST’s work covers areas such as communications, health records, electric grids, computer chips, building safety, and cybersecurity. It helps create the technical foundation that many public and private systems rely on.

For cybersecurity, NIST publishes widely used frameworks and guidance that help organizations manage risk, protect systems, and improve security practices. Its password guidance is part of this broader work, giving organizations a trusted baseline for modern authentication and password policy.

What SP 800-63B-4 covers

SP 800-63B-4 covers authentication and authenticator management. It explains how organizations should verify that someone trying to access an account has control of an approved sign-in method, such as a password, passkey, one-time code, or security key.

The publication defines technical requirements for three Authenticator Assurance Levels (AALs), which help organizations match authentication strength to risk. A low-risk service, for example, may not need the same login protections as a system that stores sensitive personal, financial, or business data.

For password security, SP 800-63B-4 covers areas such as:

  • Password length and composition rules
  • Password screening against commonly used, expected, or compromised passwords
  • Login attempt limits
  • Password reset and recovery processes
  • MFA
  • Authenticator lifecycle management

Who needs to follow NIST password guidance

U.S. federal agencies and contractors that build or manage federal digital identity systems must follow NIST guidelines.

For private companies, NIST password guidance isn’t mandatory. However, NIST guidance is especially useful for:

  • IT and security teams updating password policies
  • Compliance teams documenting authentication controls
  • Organizations handling sensitive customer or employee data
  • Software as a Service (SaaS) platforms designing account login and recovery flows
  • Businesses reducing credential stuffing, phishing, and password reuse risks

What changed in the latest NIST password guidelines?

NIST’s latest password guidance shifts the focus from rigid password rules to stronger, more usable authentication. The biggest changes include:

  • Longer passwords: Passwords used as the only authentication factor must be at least 15 characters long.
  • Fewer arbitrary rules: Organizations shouldn’t require specific character mixes, such as one uppercase letter, one number, or one special character.
  • No routine password expiration: Passwords should be changed when there is evidence of compromise, not on a fixed schedule.
  • Password screening: New and changed passwords must be checked against blocklists of common, expected, or compromised passwords.
  • No password hints or security questions: Recovery methods shouldn’t rely on personal information that attackers may guess, find, or steal.
  • Better usability: Organizations should allow password managers, auto-fill, and longer passphrases so secure behavior is easier for users.

Key updates in the NIST password guidelines, including longer passwords, fewer forced complexity rules, fewer routine resets, password blocklists, and improved usability.

Key requirements of NIST password guidelines in 2026

The latest NIST password guidelines focus on a few core ideas: make passwords long enough to resist guessing, screen them against risky choices, protect login flows from abuse, and store credentials in a way that limits damage if systems get breached. NIST also treats passwords as only one part of authentication, especially for higher-risk accounts.

Password length and usability requirements

NIST prioritizes longer passwords over forced complexity rules. Passwords used as the only authentication factor must be at least 15 characters long. Passwords used as part of MFA can be shorter but must still be at least eight characters. Systems should also allow passwords of at least 64 characters.

Every extra character in a password significantly increases the number of guesses an attacker may need to try to break into an account or service. A short password that includes a number or symbol can still be weak if it follows a predictable pattern. A longer passphrase made from several unrelated words is often easier to remember and harder to guess.

NIST also says organizations shouldn’t require arbitrary character mixes, such as one uppercase letter, one number, or one special character. Users can still include numbers and symbols, but length, uniqueness, and blocklist screening are more important than forced complexity.

Password screening against breached credentials

NIST requires organizations to screen new and changed passwords against blocklists of commonly used, expected, weak, or previously compromised passwords.

This approach checks whether a password is likely to be guessed or already exposed, not whether it includes certain character types. For example, a password that includes uppercase letters, numbers, and symbols may still be risky if it follows a common pattern or appears in known breach data.

Authenticator assurance levels and MFA

NIST uses AALs to match authentication strength to risk:

  • AAL1: Provides basic confidence that a claimant controls an authenticator bound to an account.
  • AAL2: Requires proof of possession and control of two distinct authentication factors.
  • AAL3: Requires a phishing-resistant cryptographic authenticator with a non-exportable private key and uses public-key cryptography.

OTP methods can support MFA, but they’re not phishing-resistant under NIST guidance. In that regard, MFA doesn’t eliminate the need for strong password controls, blocklists, throttling, and secure password storage.NIST password requirements checklist

Login attempt limits and abuse prevention

NIST requires agencies to limit failed authentication attempts. This helps reduce online guessing attacks, where attackers repeatedly try passwords against a login form.

Attempt limits should protect accounts without creating unnecessary lockout problems for legitimate users. In practice, organizations can combine several controls, such as rate limiting, temporary delays, bot detection, step-up authentication, or alerts for suspicious activity.

NIST sets 100 consecutive failed attempts as the upper bound for a specific authenticator on a single account before the authenticator is disabled, and agencies may impose lower limits.

Secure password storage and hashing

NIST says organizations must store passwords in a form that resists offline attacks. That means passwords should never be stored in plain text. They must be salted and hashed using a suitable password hashing scheme. A salt is a random value added to a password before hashing, so identical passwords don’t produce identical hashes.

A password hashing scheme uses the password, a salt, and a cost factor to create a password hash. The goal is to make each password guess pricier for an attacker who obtains a hashed password file. NIST says the cost factor should be as high as practical without hurting system performance, and organizations should increase it over time as computing power improves.

For stronger protection, NIST also recommends an additional keyed hashing or encryption step using a secret key stored separately from the password hashes, ideally in hardware-protected storage such as a Hardware Security Module (HSM), Trusted Platform Module (TPM), or trusted execution environment. This makes offline brute-force attacks much harder as long as the secret key stays protected.

How to implement NIST password guidelines

Implementing NIST password guidelines requires organizations to update the full password lifecycle, including password creation, storage, login protection, recovery, employee training, and policy reviews.

A practical implementation plan should include:

  • Create a NIST-aligned password policy: Replace outdated complexity rules with clearer requirements based on length, usability, password screening, MFA, and secure storage. The policy should explain which rules apply to different account types, including standard users, administrators, contractors, and service accounts.
  • Use password management tools: Encourage or provide password managers so users can create and store long, unique passwords or passkeys without memorizing each one. Login forms should support autofill and pasting so password managers work properly.
  • Implement password blocklisting: Screen new and changed passwords against blocklists of commonly used, expected, and compromised passwords. Include breach data, predictable patterns, company-specific terms, product names, and other context-based words attackers may try.
  • Update password reset workflows: Move away from routine password expiration and only trigger password changes when there is evidence of compromise. Recovery flows should avoid weak security questions and use safer methods, such as verified recovery channels, backup codes, MFA, or identity proofing, where appropriate.
  • Train employees on password security: Teach employees why the organization is changing its password rules, especially if they’re used to frequent resets or complex character requirements. Training should cover password managers, phishing risks, MFA, credential reuse, and what to do if they suspect a password has been exposed.
  • Protect high-risk accounts first: Prioritize administrators, executives, finance teams, HR teams, developer accounts, and cloud management tools. These accounts can cause more damage if attackers compromise them, so they usually need stronger MFA, stricter monitoring, and faster response workflows.
  • Review authentication logs and alerts: Monitor failed login attempts, unusual locations, repeated lockouts, password spraying, and credential stuffing patterns. A password policy works best when paired with active detection and response.
  • Document policy exceptions: Some legacy systems may not support long passwords, MFA, paste, or modern reset flows. Document these gaps, apply compensating controls where possible, and create a plan to retire or upgrade systems that cannot meet current expectations.
  • Review the policy regularly: NIST guidance, attacker behavior, and business systems can change. Organizations should review password policies at least once a year, after major security incidents, and whenever they adopt new authentication tools.

Password security best practices

NIST password guidelines give organizations a strong foundation, but password security also depends on how well those rules work. A good password policy should reduce common attack risks, help users make safer choices, and leave room for regular review as threats and systems change.

Protect against credential stuffing

Credential stuffing happens when attackers use stolen usernames and passwords from one breach to try to access accounts on another service. This attack often works because many people reuse passwords across multiple accounts.

Password managers such as ExpressKeys help users avoid reuse. When each account has a unique password, one exposed credential can’t unlock other systems.

Avoid common password myths

Many older password habits still appear in company policies, even though they don’t always improve security. For example, requiring users to change passwords every 60 or 90 days may sound safer, but it can lead people to make small, predictable changes.Comparison of common password myths and current guidance, including password length, reset timing, security questions, and MFA strength.

Strict complexity rules can create the same problem. A password with one uppercase letter, one number, and one symbol isn’t automatically strong if it follows a common pattern.

Organizations should also avoid assuming that security questions provide strong protection. Many people can guess, research, or expose answers through other breaches. Safer recovery methods give users a better way back into their accounts without relying on personal facts that may not stay private.

Balance security with user convenience

Good password security should make safe behavior easier, not harder. When policies create too much friction, users often find shortcuts. They may reuse passwords, write them down, make predictable changes, or avoid security tools entirely.

A NIST-aligned approach should support long passwords, passphrases, password managers, autofill, and pasting into password fields. These choices help users create stronger passwords without making the login process painful.

Organizations should also provide clear error messages when rejecting a password. Instead of vague warnings like “password does not meet requirements,” explain the issue, such as “This password appears in lists of commonly used or exposed passwords. Choose a longer, more unique password."

FAQ: Common questions about NIST password guidelines

Where can I read the official NIST password guidance?

You can read the official National Institute of Standards and Technology (NIST) password guidance in NIST Special Publication 800-63B-4, Authentication and Authenticator Management. This document sits within the broader NIST SP 800-63-4 Digital Identity Guidelines and covers passwords, MFA, authenticators, account recovery, login attempt limits, and related authentication requirements.

Are NIST password guidelines mandatory for every organization?

No, the National Institute of Standards and Technology (NIST) password guidelines aren’t mandatory for every organization. They set requirements for federal digital identity systems, and federal agencies or contractors may need to follow them depending on the system, contract, or compliance context.

Private companies aren't automatically required to follow NIST password guidance. However, many adopt it as a trusted baseline because it supports stronger, more usable authentication policies.

How long should a password be under NIST guidance?

Under National Institute of Standards and Technology (NIST) SP 800-63B-4, passwords used as a single authentication factor must be at least 15 characters long. Passwords used only as part of multi-factor authentication (MFA) must be at least 8 characters long. NIST also says systems should allow passwords of at least 64 characters, which supports longer passwords and passphrases.

Can users paste passwords into login forms?

The National Institute of Standards and Technology (NIST) supports password usability features that help people use password managers effectively. Its customer experience guidance states that organizations should support autofill and copy-and-paste functionality in password fields, including those for passphrases.

Do password managers help with NIST compliance?

Password managers can support National Institute of Standards and Technology (NIST)-aligned password policies by helping users create and store unique passwords for each account. NIST notes that password managers help users maintain distinct passwords, which reduces the risk of credential stuffing when a password from one service is compromised.

How should organizations handle compromised passwords?

Organizations should require users to change their passwords when they find evidence that a password has been compromised. They should also screen new and changed passwords against blocklists that include commonly used, expected, and compromised passwords.

Is SMS-based MFA still acceptable?

SMS-based multi-factor authentication (MFA) can still be used in some contexts, but it’s no longer considered one of the strongest MFA options. The National Institute of Standards and Technology (NIST) treats SMS and voice codes sent over the public switched telephone network (PSTN) as a restricted form of out-of-band authentication. It says verifiers should make alternative authentication methods available and consider risk indicators, such as SIM swaps, number porting, or other abnormal behavior, before sending authentication codes by SMS or voice.

How often should companies review their password policy?

There are no set guidelines for how frequently companies should review their password policies. However, a good practice is to review your policies annually to ensure there are no issues.

Take the first step to protect yourself online. Try ExpressVPN risk-free.

Get ExpressVPN
Content Promo ExpressVPN for Teams
Shauli Zacks

Shauli Zacks

Shauli Zacks is a cybersecurity writer at ExpressVPN who specializes in online privacy, VPNs, and emerging digital trends. With years of experience researching and reviewing security tools, he’s passionate about helping readers take control of their data and understand the tech shaping their world. When he isn’t writing, Shauli enjoys running, traveling, and testing new gadgets.

ExpressVPN is proudly supporting

Get Started