[email protected] 📍 6655 W Sahara Ave Ste E100, Las Vegas, NV 89146 📞 (702) 333-0333 Proudly AmericanProud Believer

Security Alert · Las Vegas

NIST Changed the Password Rules. Your Policy Is Probably Outdated.

No more 90-day resets. No more complexity rules. The federal government officially retired the old password rulebook — and most businesses are still enforcing the rules NIST says don't work.

Talk to Brydan →
Old password rules (forced rotation, complexity) versus the new NIST SP 800-63B Rev 4 baseline
← Back to Blog Security Alert

6 min read  |  Published April 14, 2026  |  Brydan Solutions Inc

Key Takeaways

  • NIST SP 800-63B Rev 4 officially retired forced 90-day rotations and mandatory complexity rules — they made security worse.
  • The new baseline: 15+ character minimum, no rotation, no composition rules, block known-breached passwords.
  • MFA on every sensitive account is now treated as required — password rotation is roughly irrelevant once MFA is in place.
  • Most Las Vegas businesses can modernize their policy in one week — better security and happier users at the same time.

If your IT policy still says passwords must be at least 8 characters, include uppercase and lowercase letters, a number, and a special character, and be changed every 90 days — those rules are officially obsolete. The federal agency that originally created them, NIST, retired them. Twice, actually: first in SP 800-63B in 2017, and again with stronger language in SP 800-63B Revision 4 (finalized in 2025).

The strange thing is how few businesses know. We routinely see Las Vegas companies — including ones in regulated industries that point at NIST as their compliance reference — still enforcing exactly the rules NIST officially says don’t work. The policy hasn’t been updated since 2018 because nobody told the IT team it changed.

What NIST Actually Says Now

NIST SP 800-63B Rev 4 is the federal government’s current guidance on digital identity and authentication. The full document runs 200+ pages. The password section can be summarized in five points that contradict almost everything most businesses still do:

1. No mandatory periodic password resets. The 90-day, 60-day, 30-day rotation requirement is gone. NIST says: only require a password change if you have evidence the password is compromised. Forced resets create predictable patterns (Spring2026!, Summer2026!) and train users to write passwords on sticky notes — both worse than just leaving a good password alone.

2. No required composition rules. The “must have uppercase, lowercase, number, special character” requirement is gone. NIST says: let users pick what works. Length is what matters. “PurpleFlamingoEating42Tacos” is fine. “P@ssw0rd!” is not.

3. Length-based requirements only. 8 characters minimum for human-typed, 64 characters allowed for password-manager-stored. NIST suggests 15+ as a more reasonable practical minimum given current attack capability. Length compounds difficulty linearly; complexity does not.

4. Block known-breached passwords. Compare every new password against the list of leaked credentials (HaveIBeenPwned and similar). If the password is in the breach corpus, refuse it — even if it meets length and complexity rules. The single most common attack is “credential stuffing” using known-breached passwords, and this blocks it directly.

5. MFA over rotation. Multi-factor authentication is the answer to the question “what if the password gets stolen.” NIST treats MFA as required for anything sensitive, and treats password rotation as roughly irrelevant once MFA is in place.

Why the Old Rules Backfired

NIST didn’t change its mind out of fashion. Years of research showed the old rules created exactly the behaviors they were trying to prevent.

Forced 90-day rotations led to incremental passwords: Password1!, Password2!, Password3!. Attackers who got a single old password could guess the current one trivially. Worse, password rotations encouraged users to write passwords down, share with coworkers (“what’s the new wifi password?”), and pick weaker base passwords to make the rotation easier.

Mandatory complexity rules pushed users toward predictable substitutions: “P@ssw0rd” instead of “Password,” “Adm1n” instead of “Admin.” Password-cracking tools learned those substitutions years ago. The complexity requirements stopped helping defenders around 2010 and have been arguably counterproductive since.

The combination — forced rotation plus complexity — created the perfect storm. Users picked weak base passwords, made minor substitutions to meet complexity, and rotated through predictable variants. Attackers got better; users got more frustrated; security got worse.

The New Minimum Baseline for Businesses

If your IT policy needs updating (and it almost certainly does), here’s the modern baseline:

  • Minimum length: 15 characters. Some businesses bump to 20+. The longer, the stronger.
  • No mandatory periodic rotation. Reset only on a compromise indication.
  • No complexity rules. Let users pick passphrases.
  • Block breached passwords. Integrate with a HaveIBeenPwned API or use a service that does this automatically (most major identity providers now do).
  • Encourage password managers. A password manager stores long random unique passwords for every site, and the user only remembers the master. This is the actual answer to the “remembering passwords is hard” problem.
  • MFA on every account that matters. Email, financial, admin, anything sensitive. Phishing-resistant MFA (FIDO2 keys, passkeys) for high-value accounts.

What’s noticeably absent from this list: rotation policies, complexity policies, the entire architecture of password rules that most enterprises spent the 2000s and 2010s building. That architecture didn’t help, and now formally isn’t recommended.

How to Update Your Policy

Three steps to bring your environment up to current NIST guidance:

Update the written policy. Whoever maintains your information security policy (IT manager, MSP, compliance officer) needs to revise it to match SP 800-63B Rev 4. Cite the publication date so future auditors know the policy reflects current guidance. This is usually a one-to-two hour task plus a sign-off.

Reconfigure Entra ID / Active Directory. Microsoft 365 administrators can disable forced password expiration in the Entra ID portal under Security → Password protection. The setting was on by default for years; many tenants still have it on. Confirm it’s off (or set to “never expires” via PowerShell for legacy on-premise AD).

Deploy a password manager and turn on breached-password blocking. Microsoft’s Authenticator app, 1Password, Bitwarden, and Dashlane all offer business plans. Pair with Microsoft Entra Password Protection (which blocks breached passwords automatically on Microsoft 365 environments). For non-M365 environments, set up a comparable check at the identity provider layer.

The Bottom Line

Updated password rules feel like a small policy change. They’re not — they’re an acknowledgment that the old security model didn’t work, and that the new model puts the burden on systems (MFA, breach detection, password managers) instead of on users’ memory and discipline.

For most businesses, getting to current guidance is a one-week project and a noticeable improvement in security AND user satisfaction at the same time. The hardest part is usually convincing the long-tenured staff that yes, the rule they’ve been following for 20 years was officially abandoned by the agency that wrote it.

Talk to Brydan

When Was Your Password Policy Last Reviewed?

Brydan audits client password and MFA policies against current NIST guidance during onboarding and at every annual review. If yours hasn’t been touched since the Obama administration, that’s a quick conversation to have.

Talk to Brydan → ☎ (702) 333-0333

Continue Reading

MFA AiTM attacks

Security Alert

MFA Isn’t Enough Anymore — How AiTM Attacks Bypass It

 AI-driven phishing attacks

Security Alert

Phishing Attacks Are Getting Smarter — What to Watch For

 New hire IT checklist

IT Tips

A New Hire IT Checklist That Actually Works