In an age where cyber threats are escalating, outdated password policies are no longer just inefficient — they’re dangerous. The National Institute of Standards and Technology (NIST) is updating its Special Publication 800-63, the definitive guide on digital identity and password management. The upcoming 2024 update, SP 800-63-4, will bring significant changes that businesses, IT admins, and security professionals must adapt to in order to stay secure.
The updates are crucial not just for compliance but also to ensure best practices in password security that can protect against modern cyber threats. If you’re still operating with outdated policies like the infamous “60-day password change rule,” it’s time to stop. Here’s why, and what you need to know about the new NIST guidelines.
Outdated Password Policies: A Security Risk
One of the most outdated practices still prevalent today is forcing users to change their passwords at arbitrary intervals, like every 60 or 90 days. While this might have been recommended in the past, NIST’s research shows that such policies are not only outdated but can actually make organisations more vulnerable to breaches.
Forcing frequent password changes often leads to predictable patterns like “Password1” or “Password2,” especially when password complexity rules are in play. Attackers take advantage of these patterns, using breached wordlists to easily crack passwords. The 2020 update (SP 800-63-3) already started discouraging this practice, but the new 2024 guidelines (SP 800-63-4) go further in recommending how organisations should handle passwords.
When Should Passwords Be Changed?
The 2024 guidelines clarify that password resets should only be required in specific cases:
- After a breach or compromise of the user’s account.
- At the user’s request, when they suspect their credentials may have been compromised.
No more mandatory 60-day or 90-day resets unless a breach has occurred.
Key Changes in SP 800-63-4
The forthcoming SP 800-63-4 (you can view the full guidelines here) aims to modernise password practices by emphasising security over inconvenience. The publication is part of a broader series, including:
- 800-63A: Identity Proofing and Enrollment
- 800-63B: Authentication and Lifecycle Management
- 800-63C: Federation and Assertions
Here are some notable points from the 2024 edition:
- Encouraging the use of phrases: Instead of relying on complex combinations of letters, numbers, and symbols, NIST encourages users to create long passphrases — even allowing spaces. Passphrases are easier to remember and type, yet harder for attackers to crack.
- Phish-resistant authentication: The guidelines also stress the importance of using phish-resistant authentication methods, particularly multi-factor authentication (MFA). This is particularly relevant as major platforms like Microsoft plan to turn off legacy authentication methods in the near future.
- Aligning with NIS2: The guidelines align with other global standards, such as the NIS2 Directive in the EU, which also calls for robust password management practices. Both frameworks are designed to mitigate cybersecurity risks by modernising how organisations handle sensitive data and user credentials.
Comparison of Outdated Password Practices vs. NIST 2024 Guidelines (SP 800-63-4)
| Criteria | Outdated Practices (Pre-2020) | NIST 2024 Guidelines (SP 800-63-4) |
| Password Expiration | Forced password changes every 60-90 days | Only change after a breach or at user request |
| Password Complexity | Required combination of uppercase, lowercase, numbers, symbols | Encourages passphrases with spaces and avoids strict complexity rules |
| User Behaviour Impact | Predictable passwords (e.g., Password1, Winter2024) | Longer, memorable passphrases (e.g., “I love coffee every morning”) |
| Phish-Resistant Methods | Legacy authentication methods allowed | Encourages use of multi-factor and phish-resistant methods |
| Authentication System Examples | Common in older systems, including some versions of Active Directory | Applicable to all modern systems, including updated Active Directory |
| Reset Triggers | Mandatory resets at arbitrary intervals | Reset after breach, or when the user feels compromised |
Practical Application: Active Directory & Other Systems
It’s essential that businesses apply these updated NIST guidelines across all systems that manage passwords, including Active Directory (AD). For organisations using Microsoft solutions like Azure Active Directory (Azure AD), the transition to modern password practices is seamless. Azure AD supports phish-resistant authentication methods such as multi-factor authentication (MFA) and passwordless sign-ins, which align perfectly with the 2024 NIST guidelines. You can read more about Microsoft’s password management and security solutions on their Azure AD Security Overviewpage.
By leveraging Microsoft’s security tools and best practices, you can ensure that your organisation is fully aligned with these modern standards while taking advantage of Microsoft’s secure, cloud-based authentication.
Why Password Complexity Rules Don’t Work
Forcing users to include uppercase letters, numbers, and symbols often leads to predictable behaviour. This results in easy-to-guess passwords like “Password1!”, “Winter2024”, and other variants that attackers can quickly exploit. By moving towards phrase-based passwords and allowing spaces, we give users the freedom to create something that’s both memorable and secure.
Cybersecurity researchers and hackers regularly use breach wordlists to analyse user behaviour, and predictable passwords make their jobs easier. So why not stay ahead of the curve by adopting the NIST password guidelines now?
The Way Forward
NIST’s 2024 password guidelines are a major step forward in making digital identity more secure and user-friendly. If you’re an IT admin, cybersecurity professional, or business owner, it’s time to ditch outdated policies and embrace these new standards.
The world of password management is evolving, and by adhering to these new guidelines, you’re not only protecting your organisation but also making it harder for attackers to exploit common weaknesses.
Is your organisation still relying on outdated password policies? Don’t wait until a breach occurs. Start aligning your systems with the latest NIST 2024 guidelines and explore Microsoft’s advanced security solutions like Azure AD for enhanced protection. Share this blog post to spread the word and secure your digital future.