New federal guidelines seek to strengthen security at the root cause of several recent security incidents: identity and access management, and specifically passwords. The National Institute of Standards and Technology (NIST) updated its drafted password security guidelines last year to make them more user-friendly while enhancing their effectiveness. A final version of the guidelines is expected later this year. The new guidelines discourage frequent password changes and overly complex requirements, which have been shown to lead to predictable and insecure user behavior. Things like reusing similar passwords with slight variations (changing “Fido123” to “Fido123!”), writing down passwords on Post-it notes next to computers that are visible to prying eyes, or storing them in clear text which infostealers can easily grab.
Instead, NIST recommends accepting a wider range of characters, including emojis, and emphasize password length over complexity. For example, passwords should ideally be 15 characters or longer to maximize security. In addition, NIST strongly encourages the use of modern tools like password managers and passkeys, which leverage biometric data for authentication and help protect against phishing attacks.
The guidelines also aim to eliminate outdated practices, such as periodic password changes and password hints, which research has shown to be counterproductive. Instead, organizations are encouraged to implement block lists to prevent the use of commonly compromised or weak passwords. Passkeys, a relatively new alternative, are also highlighted for their enhanced security. Passkeys are more secure and user-friendly than passwords because they never leave the user’s device, reducing vulnerability to theft or phishing. With so many exposed credentials out there on the internet—like the 10 billion passwords leaked in the RockYou2024 compilation—this identity access management solution reduces the risk from password breaches because they’re unique and can’t be reused. While adoption of passkeys is growing, these systems still require careful implementation to mitigate risks, such as securing devices against unauthorized access.
NIST’s approach reflects decades of research showing that longer, randomly generated passwords are much harder to crack than short, complex ones. For users, tools like password managers—whether built into browsers or standalone—offer practical solutions for managing long, unique passwords across multiple accounts. That makes it much easier to access accounts across the 160 or so personal passwords the average person has, and that’s not even including work-related passwords.
Contractors and other organizations that do business with the federal government are required to follow NIST guidelines. Many firms also voluntarily comply with this widely recognized set of cybersecurity best practices that are applicable to businesses of all sizes. The easiest way for small and mid-sized businesses (SMBs) to align with these guidelines is to use a password manager like LastPass to set it and forget it for your password policies that would align with these new recommendations. That way, it's easy to be compliant.
As these updated standards are adopted, they are expected to significantly improve digital security practices in both the public and private sectors, though challenges like password reuse and device security remain ongoing concerns.
