NIST Password Guidelines Explained for Busy IT Teams
The short answer: NIST SP 800-63B tells you to favour length over forced complexity, stop scheduling password resets, screen new passwords against known-breached lists, and support long passphrases up to at least 64 characters. The rest of this guide explains each recommendation in plain English and what it means for a small IT team.
What is NIST SP 800-63B?
NIST — the U.S. National Institute of Standards and Technology — publishes the Digital Identity Guidelines. The document numbered SP 800-63B covers authentication, including the part everyone argues about: how to handle passwords, which it calls "memorised secrets." Although it is written for federal systems, it has become the de facto reference for sensible password practice across the private sector.
The guidance is notable because it deliberately overturned decades of habits — the mandatory symbols, the 90-day expiry — on the basis of evidence about how those rules actually affect security.
Recommendation 1: Length beats complexity
The central message is that a password's length contributes far more to its resistance against guessing than its mix of character types. A 16-character string drawn from a single class can be stronger than an 8-character string with every class represented.
This is why our generator scores results by entropy — calculated as length × log₂(pool size) — rather than counting how many symbols you included. If you want to see the maths in action, generate a 12-character and a 20-character password and watch the bit count climb with length.
Recommendation 2: Do not force periodic resets
NIST advises against requiring scheduled password changes for memorised secrets. The reasoning is behavioural: when forced to change regularly, people make small, predictable edits — appending a number, bumping a season — which attackers anticipate. Worse, frequent changes drive password reuse and sticky notes.
Instead, change a password only when there is a specific reason: a confirmed or suspected breach, a phishing click, or shared credentials after an employee leaves. This single change usually cuts help-desk reset volume noticeably while improving real security.
Recommendation 3: Screen against breached passwords
Rather than imposing composition rules, NIST recommends checking new passwords against a list of values known to have been compromised in previous breaches, and rejecting common or context-specific weak choices (the company name, welcome123, repetitive characters). Many identity providers and password managers offer this screening out of the box.
This is a better filter than complexity rules because it blocks the passwords attackers actually try first, instead of forcing arbitrary patterns that users then make predictable.
Recommendation 4: Allow length and all printable characters
The guidelines say systems should accept passwords of at least 8 characters as a floor and support at least 64, and should allow all printable ASCII characters and spaces — so genuine passphrases like correct horse battery staple work. Do not silently truncate, and do not block paste, because blocking paste actively discourages password-manager use.
- Minimum supported length: 8 (treat this as an absolute floor, not your target).
- Maximum supported length: at least 64.
- Allow spaces and Unicode where feasible; never strip or truncate silently.
- Always allow paste so password managers function.
Recommendation 5: No password hints or knowledge questions
NIST discourages password hints accessible to unauthenticated users and security questions ("mother's maiden name"), because the answers are often public or guessable. Replace them with proper account-recovery flows and, crucially, with two-factor authentication so a single secret is never the only thing standing between an attacker and an account.
Recommendation 6: Pair passwords with multi-factor authentication
Even a strong password can be phished or reused. NIST's broader framework leans heavily on multi-factor authentication, ideally phishing-resistant methods such as authenticator apps or hardware security keys over SMS codes. For most workplaces, enabling 2FA everywhere it is supported is the highest-impact change after adopting a password manager.
How to apply this in a small business
You do not need a compliance department to adopt the spirit of SP 800-63B. Translate it into a short, enforceable policy: set length minimums by account tier, turn off scheduled expiry, enable breach screening and 2FA in your identity provider, and mandate a password manager so long random credentials are realistic. Our workplace password policy guide turns these principles into a seven-line template you can adapt today, and our password manager guide covers tooling.
Frequently asked questions
What is NIST SP 800-63B?
It is the U.S. National Institute of Standards and Technology's Digital Identity Guidelines for authentication, including modern, evidence-based recommendations for how passwords (memorised secrets) should be handled.
Does NIST recommend periodic password changes?
No. NIST recommends not requiring scheduled password changes. Passwords should only be changed when there is evidence of compromise, because forced rotation encourages weak, predictable variants.
What minimum length does NIST suggest?
NIST advises supporting passwords of at least 8 characters as an absolute floor and allowing at least 64, while encouraging longer passphrases. In practice, set a higher floor of 12 or more for workplace accounts.
Do the NIST guidelines apply to small businesses?
They are written for U.S. federal systems but are widely adopted as best practice. Any business can apply the core principles — length over complexity, no forced resets, breach screening — regardless of size or sector.