top of page
Oct 1

Password Rotation, Complexity Requirements, or Security Questions – All Bad Practices?


The latest NIST draft guidelines on password security are moving away from widely used practices that many organizations still rely on. Here's a breakdown of the key changes.


Outdated Passwords Practices No Longer Allowed per NIST


  • Periodic Password Resets: Users shall only be required to change their passwords if their account has been breached. The common practice of periodic password rotation is not allowed anymore.

  • Password Complexity: No more requirements for complex character combinations. The NIST standard no longer enforces combinations of special characters, uppercase letters, and numbers when creating passwords.

  • Password Hints and Security Questions: These are also on the chopping block. Security questions like “What was the name of your first pet?” or hints visible to an unauthenticated party are deemed insecure.


Why These Changes Matter


The new recommendations are based on years of research showing that forced password resets and complex rules result in weaker security. Periodic password changes often lead to users creating predictable passwords or reusing them across multiple accounts. Complexity rules encourage users to store passwords in unsafe ways, like writing them down.


Real-World Impact


Many organizations, especially those using Active Directory, still adhere to these outdated practices. This can create a disconnect with the newer NIST guidelines, which are increasingly aligned with modern identity systems. For instance, Microsoft's Secure Score tool for Microsoft 365 rewards organizations that have disabled password rotation with a higher security rating.


The Focus on Password Length


In its latest draft, NIST shifts the focus to password length as a critical security factor. While the minimum required length remains 8 characters, NIST advises using at least 15 characters for stronger protection. This recommendation acknowledges that length, rather than complexity, offers greater security against brute-force attacks.


NIST Password Guidelines
NIST Password Guidelines (2024)

These shifts signal a new approach to password management that prioritizes both security and user experience. It's time for organizations to move away from outdated password policies and embrace these modern, research-backed practices.

Latest news

bottom of page