Many of the password best practices that organizations have been following for years, such as complex passwords with special characters or mandatory changes every 90 days, can be traced to the first version of NIST ‘s Digital Identity Guidelines. However, cybersecurity is dynamic, and best practices must evolve to keep pace with both emerging threats and real-world user behavior.
That’s why NIST’s latest guidelines represent a significant shift in approach. The updated framework acknowledges an irrefutable reality that many SMBs face: security measures that look good on paper often fail in practice when they create too much friction for users. Let’s unpack what’s changing and, more importantly, what these changes mean for your business.
Say Goodbye to Complex Password Rules
Here’s one common password requirement that many organizations have implemented: Your password must contain at least one uppercase letter, one lowercase letter, one number, one special character, and be at least either characters long.
The problem with password rules like the above is that they lead to passwords like “P@ssw0rd123!” or “Tr0ub4dor&3.” Such passwords are not only difficult to remember but, ironically, less secure because users often resort to predictable patterns vulnerable to password spraying attacks (the first example) or writing them down (the second example).
That’s why the new NIST guidelines take a different approach. Rather than forcing users to create complex passwords with arbitrary combinations of characters, the focus shifts to length. The guidelines encourage the use of longer passphrases that are easier to remember but harder to crack.
For example, a simple passphrase like “correct horse battery staple” or “purple elephant dancing moonlight” is both more memorable and more secure than “P@ssw0rd123!” due to its length and unpredictability.
Extending Password Lifetimes
It turns out that forcing frequent password changes often backfires, as users tend to create predictable patterns (like changing “Spring2024!” to “Summer2024!”) or resort to writing down passwords they can’t remember.
Instead, it’s better when users change their passwords only when there’s evidence of compromise, such as after a data breach or when suspicious activity is detected. Another major benefit of less frequent password changes is that the burden on both users and IT support is reduced so both can spend more time on what really matters instead of wasting it on something that makes systems less secure, not more.
Email Authentication is Out
As part of a broader effort to eliminate weak links in the authentication chain, the updated NIST guidelines clarify that email is no longer considered a valid channel for out-of-band authentication.
Relying on email to verify identity or send one-time codes has proven to be vulnerable to interception and other attacks, making it an unreliable method for modern security needs. By cutting off this outdated approach, NIST is urging organizations to explore more secure channels—such as mobile push notifications, hardware tokens, or dedicated authenticator apps—that better protect against fraud and unauthorized access.
Making Security More User-Friendly
The updated NIST guidelines recognize that security shouldn’t come at the expense of user convenience. To make strong authentication more practical, they advocate for measures like allowing paste functionality in password fields. This simple tweak helps users avoid the pitfalls of typing long, complex passphrases manually—a process that often leads to errors or the temptation to simplify passwords.
Another significant improvement is the requirement for visual feedback during password creation. Systems should clearly show password length and strength in real-time, helping users understand what makes a good password without resorting to complex rules so they can make better security decisions without frustration.
Storing and Screening Passwords the Right Way
Data breaches have become an unfortunate reality of modern business, with compromised passwords being one of the primary targets for cybercriminals. Once attackers obtain a database of passwords, they can use these credentials to attempt access to other systems, knowing that many people reuse passwords across multiple accounts.
That’s why NIST wants all organizations to store their passwords salted and hashed—a cryptographic process that prevents passwords from being easily used for malicious purposes after a data breach.
When passwords are salted and hashed, each password is combined with a unique random value (the salt) and then transformed into a scrambled string of characters that can’t be reversed back into the original password. So, even if attackers get their hands on a salted and hashed password database, they won’t be able to recover the actual passwords from it.
But proper storage is just the beginning. NIST introduces smarter password screening requirements that go beyond traditional complexity rules. As the guidelines state, systems must “compare the prospective secrets against a list that contains values known to be commonly used, expected, or compromised.” This means checking new passwords against:
- Lists of passwords found in previous data breaches
- Common dictionary words and patterns
- Context-specific terms (like your company name)
- Repetitive or sequential characters
Moving Beyond Traditional Passwords
While the new NIST guidelines improve password practices, they also acknowledge that even the best password is still just a password, and compromised passwords are involved in over 80% of data breaches.
The guidelines explicitly recognize traditional passwords as inherently weak authenticators and recommend Multi-Factor Authentication (MFA) whenever personal information is accessible online.
MFA can be implemented in a number of specific ways, but it always combines something you know (like a password) with something you have (like an authentication app on your phone) or something you are (like a fingerprint).
That said, the guidelines specifically discourage the use of SMS text messages for authentication codes—a practice many organizations still rely on. While text-based MFA is better than no MFA at all, authenticator apps or hardware security keys provide much stronger protection against modern cyber threats because they are not susceptible to SIM-swapping attacks.
What These NIST Changes Mean for Your Business
The key takeaway is clear: passwords still have their place in cybersecurity, but they mustn’t become a burden or the sole line of defense for your organization. The new NIST guidelines help achieve this balance by promoting stronger yet more manageable password practices while emphasizing the importance of Multi-Factor Authentication.
As a managed IT and cybersecurity service provider, we at OSIbeyond can help you implement these NIST updates seamlessly, from overhauling password policies to rolling out MFA that works for your team. Whether you’re starting from scratch or fine-tuning what you’ve got, we’ve got the expertise to make it happen—without the jargon or the headaches.
Ready to level up your security? Schedule a meeting with us today, and let’s get your defenses in fighting shape.