4 New Password Best Practices You Can Implement Today

The National Institute of Standards and Technology released updated password guidelines that signal a shift in how businesses and individuals should secure their online accounts.

The new recommendations focus on usability, length, and modern threat mitigation, aiming to strike a balance between strong security and user-friendly practices.

The new guidelines were published in September 2024 as part of NIST’s second public draft of SP 800-63-4, the latest version of its Digital Identity Guidelines.

Here are the most important password practices you should adopt to align with these new guidelines and bolster your cybersecurity strategy.

Focus on Password Length Over Complexity

NIST now places a strong emphasis on password length rather than complexity. Historically, users were required to create passwords with a mix of uppercase and lowercase letters, numbers, and special characters. However, NIST’s data shows that length provides a much more significant boost to security.

A long password or passphrase like “SunnyDaysOnTheMoonComingSoon” is harder to crack than a short, complex password, like "P@ssw0rd!" due to the sheer number of possible character combinations.

NIST recommends allowing passwords up to 64 characters and advises a minimum of 8 characters for basic security.

Encouraging users to create memorable, lengthy passphrases can significantly enhance protection.

Stop Forcing Regular Password Changes

In the past, organizations often required users to change their passwords every 60 or 90 days. NIST’s 2024 guidelines recommend removing forced password changes unless there is evidence of a security breach.

Regular password changes can lead to user fatigue, resulting in poor password habits like slight variations of previous passwords or writing passwords down to remember them.

Instead of forcing routine changes, focus on monitoring for breaches and only requiring updates when passwords are compromised.

Implement Password Blocklists

A key change in the 2024 guidelines is the use of password blocklists. Many users still create simple, predictable passwords or use passwords that have been previously compromised in data breaches.

NIST recommends blocking commonly used or breached passwords altogether. By using blocklists, you can prevent users from choosing weak or compromised passwords and encourage them to create stronger alternatives.

For individuals, I recommend the password checker at haveibeenpwned.com, which will allow you to see if a password you want to use, or use already, has been exposed in a data breach.

Adopt Multi-Factor Authentication

While passwords are still the first line of defense, NIST strongly advocates for the use of multi-factor authentication.

MFA adds an extra layer of security by requiring users to provide two or more types of verification.

For example, the first layer would be something you know, like your password. The second layer would be something you own, like requiring you to input a code sent to your smartphone. The second layer can also be something you are, which uses your biometric information (fingerprint or face ID).

MFA significantly reduces the risk of unauthorized access even if passwords are compromised. If possible, integrate MFA across your systems, especially for high-risk or sensitive accounts.

Use A Password Manager

Given the need for long, unique passwords across multiple accounts, NIST recommends using password managers. These tools generate and store strong passwords, allowing users to avoid the risks of password reuse or writing down passwords.

Password managers handle the complexity, making it easier for users to maintain robust security practices without sacrificing usability.

The randomly generated high-complexity passwords generated by password manages are complex to the point of being near impossible to crack.

Why These Changes Matter

Traditional password practices no longer provide adequate protection. By following NIST’s updated guidelines, businesses can reduce vulnerabilities related to weak passwords, while individuals can improve their online safety.

These changes help minimize the cognitive load on users, leading to better compliance and stronger overall security.