Modern password tips based on NIST guidelines
Passwords are an inherently flawed security measure in an era of constant phishing attacks and massive data leaks. This guide breaks down the latest recommendations from the National Institute of Standards and Technology (NIST) and shows how to improve security with longer passwords, smarter tools, and modern authentication methods.
Why should your business listen to NIST?
NIST is a US government agency that sets cybersecurity standards. Although originally created for federal agencies, its influence now extends to the private sector. Industries that handle sensitive data, such as healthcare, finance, and software, often adopt NIST guidelines because they are based on rigorous real-world testing and an understanding of human behavior.
In fact, many modern compliance frameworks, including HIPAA and SOC 2, now incorporate NIST’s approach to identity management, establishing its recommendations as the gold standard for any security-conscious business.
Outdated practices vs. new NIST standards
To strike a balance between security and ease of use, organizations must abandon old password policies and adopt NIST’s latest password security guidance.
Prioritize password length over complexity
One of the biggest changes in password security is the move from strict complexity rules. This means organizations no longer need to require combinations of uppercase letters, numbers, and symbols. The reason is simple: users find predictable ways to meet these rules (e.g., “Password123!”), making passwords incredibly easy to guess.
Length is now the most important factor in password security. Longer passwords are harder for cybercriminals to crack, even with powerful hardware. While NIST guidelines suggest a minimum of eight characters for standard accounts, security experts recommend 12 to 16 characters for a better balance of security and usability.
To support this shift, systems should now accommodate passwords up to 64 characters long, enabling users to create memorable passphrases. A passphrase, which is a string of unrelated words (e.g., “bluecoffeetrainsunset”), is now considered one of the most secure and user-friendly authentication methods. Because they are easier to remember and significantly harder to crack than short, complex passwords, passphrases offer superior security and convenience.
Furthermore, NIST now mandates that systems accept all printable ASCII characters, spaces, and Unicode symbols. This allows users to create longer, more memorable passphrases using native language characters or even emojis, which can also help reduce the frequency of password reset requests.
End forced password resets
Mandatory password changes every 60 or 90 days are an outdated practice. This policy often leads to security fatigue, prompting users to create weaker, more predictable passwords.
Instead, NIST now recommends a more practical approach:
- Require password changes only when there’s evidence of a compromise.
- Actively monitor accounts for suspicious activity.
- Trigger password resets based on actual risk, not a fixed schedule.
Screen passwords and monitor for compromised credentials
Attackers often rely on leaked password lists rather than randomly guessing. That’s why the NIST recommends organizations do the following:
- Block the use of common passwords (e.g., “123456”).
- Prevent employees from using passwords exposed in past breaches.
- Continuously monitor for exposed credentials.
Use password managers
Since every account needs a long, unique password, remembering them all is practically impossible. That’s why NIST highly recommends the use of password managers. These tools act as a secure digital vault, generating and autofilling strong passwords so your team doesn’t have to.
Beyond the password: MFA and biometrics
Passwords alone aren’t enough to ensure security. NIST recommends that when a password is required, it must be paired with an extra layer of verification:
Phishing-resistant MFA
Multifactor authentication (MFA) fortifies accounts by requiring more than just a password for account access. However, NIST now advises against using SMS text codes for MFA, as hackers can intercept these. Instead, they recommend using authenticator apps or hardware security keys (small USB tokens). With these methods, the “key” to your account remains securely on your physical device.
Safe and accurate biometrics
For biometric security such as facial recognition and fingerprint, NIST sets high standards for:
- Accuracy: Systems must have a false match rate of less than 1 in 10,000 to ensure reliability.
- Privacy: Your actual fingerprint or face image is never stored. Instead, the system generates a unique digital map (a template) and immediately deletes the original biometric data, protecting your identity.
Connect with our experts to bolster your cyber defenses against emerging threats and explore the future of password security.
Still relying on traditional password policies like forced resets and complex character requirements? Those rules are outdated. It’s time to take a more modern approach with guidance from the National Institute of Standards and Technology (NIST), simplifying security without compromising protection.
The National Institute of Standards and Technology (NIST) is changing how businesses approach password security. Learn how updated guidelines, focused on length, usability, and layered protection, can help safeguard accounts without introducing unnecessary complexity.
From lower energy consumption to longer hardware lifespans, thin and zero clients are helping companies rethink their IT strategy. Discover how these streamlined devices can deliver big savings without compromising performance.
What if your office computers didn’t need to do all the heavy lifting? This article explores how thin and zero clients reduce hardware costs, simplify IT management, and improve security for modern businesses.
Rising IT expenses are pushing businesses to explore smarter alternatives to traditional desktops. Thin and zero clients offer a cost-effective, secure, and easier-to-manage solution by shifting computing power to centralized systems.
For employees who spend their days on calls, a quality headset is an absolute necessity. It can improve call clarity, reduce background noise, and even help reduce fatigue by allowing for hands-free movement. If you’re looking for the best Voice over Internet Protocol (VoIP) headset in 2026, consider these key factors so you can make the right choice.
A subpar Voice over Internet Protocol (VoIP) headset often leads to distracting background noise, unclear audio, and even physical discomfort after just a few hours. That’s why you need a high-quality headset that supports the way you work. But with so many options on the market, how do you find the right one? Here are key features to consider.
Whether you’re collaborating with a remote team, leading a client presentation, or simply trying to stay focused in a busy home office, the right Voice over Internet Protocol (VoIP) headset can make all the difference. But how do you know which device you should choose? This guide walks you through the must-have features of VoIP headsets so you can find the ideal headset for your needs.
Your Microsoft Excel spreadsheets are likely the lifeblood of your small business. Whether it’s your monthly budget, an upcoming payroll sheet, or your entire inventory list, seeing hours of hard work vanish in an instant is terrifying. Before you start retyping everything from scratch, take a deep breath. Your data is probably still hiding on your computer. Work your way down this list of simple methods to rescue your lost work.