NIST Now Discourages Mandatory Complexity Rules
NIST's updated guidelines explicitly recommend against requiring users to mix uppercase, lowercase, numbers, and symbols. The reasoning: these rules lead to predictable patterns (Password1!) that are technically compliant but practically weak. Instead, NIST recommends focusing on length — a minimum of 8 characters for user-selected passwords and 6 for randomly generated ones.
NIST Discourages Periodic Password Changes
The old advice to change passwords every 90 days has been dropped. NIST now recommends changing passwords only when there's reason to believe they've been compromised. Forced frequent changes lead users to make minimal modifications (password1 → password2) which provides almost no security benefit.
Checking Against Breached Password Lists
NIST recommends that systems check proposed passwords against known breached password lists and reject any that appear in them. Services like HaveIBeenPwned's Pwned Passwords API allow checking billions of previously exposed passwords. This prevents users from unwittingly adopting credentials already in attacker databases.
What This Means for Your Personal Security
For individuals, these guidelines confirm what security researchers have long recommended: use long, random passwords generated by a tool rather than chosen by a human. Don't stress about mandatory complexity requirements if your password is genuinely long and random. Store them in a password manager and don't change them unless you have reason to believe they're compromised.
NIST's guidelines validate the random-generation approach: prioritize length, use genuine randomness, check against breach databases, and stop forcing yourself to change working passwords on arbitrary schedules.