- Your iPad is getting a major upgrade for free. 4 top features I can't wait to try in iPadOS 26
- Your MacBook is getting a big upgrade. 5 best features I can't wait to use in MacOS 26
- The Growing Threat of AI-powered Cyberattacks in 2025
- I test tablets for a living and this is the Samsung tablet I recommend the most
- The Cost of Ignoring Patches: How State and Local Governments Can Mitigate Damaging Security Breaches
NIST Scraps Passwords Complexity and Mandatory Changes
Using a mixture of character types in your passwords and regularly changing passwords are officially no longer best password management practices according to new guidelines published by the US National Institute of Standards and Technology (NIST).
In NIST’s latest version of its Password Guidelines, the leading security standards organization suggested credential service providers (CSPs) stop recommending passwords using several character types and to stop mandating periodic password changes unless the authenticator has been compromised.
Additionally, NIST required CSPs not to use knowledge-based authentication (KBA) or security questions when choosing passwords.
These decisions formalize principles that public and private organizations like the US Federal Trade Commission and Microsoft have long recommended.
Read more: It’s Time to Take a Modern Approach to Password Management
Good Passwords Between 15-64 Characters
The latest guidelines still require passwords to be at least eight characters.
Other notable recommendations include:
- Passwords should be of a minimum of 15 characters
- CSPs should allow passwords of a maximum of at least 64 characters
- CSPs should allow ASCII and Unicode characters to be included in passwords
The new guidelines were published in September 2024 as part of NIST’s second public draft of SP 800-63-4, the latest version of its Digital Identity Guidelines.
The previous version of NIST’s Password Guidelines was published in 2020.
Read more: Five Ways to Dramatically Reduce the Risk of Password Compromise
