NIST Password Guidelines: What to Know in 2026

In 2025, NIST updated its password guidelines to require longer passwords, remove forced complexity rules, and check new passwords against known breached password lists. Businesses that still follow the old rules may not meet current NIST guidance and could face avoidable security risks.

Attackers do not need to break into your systems if they can simply log in with stolen credentials.

Many organizations make this easier without realizing it by using outdated password policies like forced resets, complexity rules, and short password minimums that no longer match current NIST guidance.

At Intelligent Technical Solutions (ITS), we help businesses build audit-ready authentication policies that align with current cybersecurity standards. As a managed security service provider (MSSP), we keep clients informed so they can make confident security decisions.

You will learn:

• What are the NIST password guidelines?
• What do the updated NIST password guidelines require in 2026?

What Are the NIST Password Guidelines?

The NIST password guidelines are a set of requirements that help organizations create and manage secure passwords.

They are published by the National Institute of Standards and Technology (NIST) under SP 800-63B,  which focuses on authentication and password requirements.

Although SP 800-63B was originally written for government agencies, it has become a widely accepted benchmark for secure password practices across industries such as healthcare, finance, and legal.

SP 800-63B is one part of NIST's broader Digital Identity Guidelines, which also covers identity proofing and federation.

NIST updated these guidelines in July 2025 with SP 800-63 Revision 4, which includes current requirements for authentication, security, privacy, and customer experience.

Read: What is the NIST Cybersecurity Framework?

What Do the Updated NIST Password Guidelines Require in 2026?

Follow the New Minimum Password Length Requirements

Under Revision 4, password length matters more than character rules. If a password is the only login method, it must be at least 15 characters long. If it is used with MFA, it must be at least eight characters long.

Systems should also allow passwords that are at least 64 characters long and accept spaces and printable ASCII characters. This supports the use of passphrases, which are longer, easier to remember, and often stronger than short passwords with random symbols.

Systems should offer users the option to see their password as they type, rather than only showing dots or asterisks. This helps reduce typing errors and lets users confirm what they entered.

Check Passwords Against a Blocklist

When a user creates or changes a password, the system must compare it against a blocklist of commonly used, expected, or previously breached passwords.

If the password appears on the list, the user must choose a different one, and the system must explain why it was rejected.

Your blocklist should include:

• Passwords from known breach databases
• Common dictionary words
• Context-specific words (e.g., the name of your service or the user's own username)
• Repetitive and sequential passwords such as "aaaaaa" or "1234abcd," which are commonly used or predictable patterns that attackers test first

According to NIST SP 800-63B, the blocklist should be large enough to prevent users from choosing passwords that attackers are likely to guess before hitting the attempt limit.

Your blocklist does not need to include every possible password or dictionary word. Focus on commonly used passwords, known breached credentials, and predictable patterns. A targeted blocklist is easier to manage and helps prevent slow login checks caused by overly large password lists.

Note: NIST updated its terminology in Revision 4, replacing the term "blacklist" with "blocklist." Update your internal policy documents to reflect this.

Read: 7 Key Components of a Strong Password Policy

Stop Requiring Character Rules

Systems must not require passwords to include mixtures of character types such as uppercase letters, numbers, or symbols. Under Rev. 4, NIST explicitly prohibits these rules rather than only discouraging them.

Appendix A notes that breached password data shows little benefit from these rules. It also explains that strict requirements make passwords harder to create and remember.

Users can still choose to include symbols, numbers, or uppercase letters. The change only means that systems cannot require them.

 Provide Clear Feedback When Passwords Are Rejected

When a password is rejected, the system should provide clear feedback so users understand how to fix the problem.

Vague error messages lead to frustration and weaker workarounds, while clear feedback helps users correct mistakes and create stronger passwords.

Your system should include:

• Password strength meters that show users how strong their password is
• Password visibility options that help users check what they typed

Read: How to Train Your Employees to Protect Sensitive Data

Remove Password Hints and Security Questions

Systems must not allow users to set password hints or rely on knowledge-based security questions (e.g., "What was the name of your first pet?") for account recovery. These methods are easy to guess or find through social media and public records.

Instead, account recovery should use a separate, secure authentication process.

 Support Password Managers and Autofill

Systems must allow users to use password managers and autofill. If autofill is not available, users should be able to paste their passwords into the login field.

Blocking paste makes password managers harder to use. It can also push users to choose shorter passwords that are easier to remember but weaker.

If your team uses a password manager, here are a few best practices to follow:

• Choose a long passphrase you can memorize as your master password.
• Create unique passwords for all accounts stored in the password manager.
• Choose password managers that use strong encryption and protect the master password.
• Use multi-factor authentication (MFA) to protect access to your password manager.

 Change Passwords Only When There Is Evidence of Compromise

Scheduled password resets, such as every 60 or 90 days, are no longer allowed. Under Rev. 4, systems must not force password changes on a fixed schedule.

Password changes are only required when there is evidence of compromise, such as a known breach or signs of unauthorized access.

Read: How Often Should You Change Passwords? (& Other Password Guidelines)

 

 Store Passwords in a Form Resistant to Offline Attacks

Password breaches are common, and how passwords are stored affects the extent of the damage they can cause. Salting and hashing passwords help protect them from offline attacks.

 

 

 

 

Under NIST SP 800-63B Rev. 4 Section 3.1.1.2, passwords must be salted and hashed using a suitable password hashing scheme. NIST recommends using an approved password hashing scheme from SP 800-132 or updated NIST guidance.

The salt must be at least 32 bits long, and the system must store both the salt and the hash for each password.

Storing passwords in plain text or using weak hashing methods puts users at serious risk if your systems are breached.

 

Need Help Applying the NIST Password Guidelines?

NIST SP 800-63B Rev. 4 changes how passwords should be managed. It focuses on longer passwords, removes required character rules, uses blocklists to stop weak passwords, and limits password changes to cases where there is evidence of compromise.

Following these practices can help reduce password-related risks while making login easier for your team.

Since 2003, Intelligent Technical Solutions has helped hundreds of businesses stay ahead of evolving security standards through managed cybersecurity services built around their specific risks and compliance needs.

Our security team can assess your current password policies, identify gaps against NIST Rev 4, and guide you through the right changes.

Ready to review your current password policies? Schedule a free cybersecurity consultation to get started.

Want to Learn More?

Explore these resources in our Learning Center:

• What Businesses Need to Know About Managed Cybersecurity Services
• 7 Steps in Building a Robust Cybersecurity Strategy for SMBs
• Are Biometrics Safer than Passwords for My Business?

Frequently Asked Questions (FAQs)

Q: Do I still need to require special characters in employee passwords?

A: No, NIST Rev 4 prohibits systems from requiring composition rules such as uppercase letters, numbers, or special characters. Users can still choose to include them, but your system must not require them.

Q: When should employees be required to change their passwords?

A: Passwords should be changed only when there is evidence of compromise, such as a confirmed breach or suspicious login activity. Scheduled resets, like every 90 days, are no longer allowed and can weaken security by encouraging predictable patterns.

Q: What is the difference between a blacklist and a blocklist?

A: They refer to the same concept, but NIST now uses the term "blocklist" instead of "blacklist." In password systems, a blocklist includes commonly used, expected, or compromised passwords that users must not be allowed to set.