top of page

30 September 2024

NIST Drops Password Complexity, Mandatory Reset Rules

NIST Drops Password Complexity, Mandatory Reset Rules

The National Institute of Standards and Technology (NIST) is no longer recommending using a mixture of character types in passwords or regularly changing passwords.


NIST's second public draft version of its password guidelines (SP 800-63-4) outlines technical requirements as well as recommended best practices for password management and authentication. The latest guidelines instruct credential service providers (CSP) to stop requiring users to set passwords that use specific types or characters or mandating periodic password changes (commonly every 60 or 90 days). Also, CSPs were instructed to stop using knowledge-based authentication or security questions when selecting passwords.


NIST also is now recommending password resets in the case of a credential breach only.

bottom of page