New rules for secure passwords (in 2025) according to NIST
Digital security is an area that requires constant attention to current standards and practices. A significant development in this area is the update to the password management guidelines published by the US National Institute of Standards and Technology (NIST) for 2025. This article focuses on the major changes that NIST is bringing and provides practical advice on how to implement them effectively in corporate IT systems. The goal is to help you understand the significance of these changes not only from a security perspective, but also in terms of compliance with legislative requirements that have a major impact on, for example, GDPR or HIPAA.
NIST guidelines provide a global framework for setting and managing passwords not only in government, but increasingly in the commercial sector as well. It reflects real needs in the security sector and builds on research instead of outdated assumptions.
Main innovations include an increase in the recommended length of passwords - currently NIST recommends a range of 8 to 64 characters. This shift favors easy-to-remember but long passwords over complex but short and frequently repeated passwords. A significant change is the abandonment of mandatory periodic password changes, which in the past were considered a security necessity; now, password changes are only required if an account is demonstrably compromised.
Requirements for special characters, combinations of upper and lower case letters, often lead to predictable combinations that are easily guessed by hackers. Instead, it is advisable to use all character types, including spaces and encourage users to create unique and memorable passphrases.
Next, NIST recommends implementing dynamic blocklists-that is, active lists of prohibited passwords, such as those that have been revealed in data leaks, contain a company or employee name, or exhibit common patterns. Completely abandoning outdated recovery mechanisms using knowledge-based questions, which are often influenced by information from social networks, and moving to stronger identity verification methods such as one-time authentication codes or security links. There is also an emphasis on using modern security tools - for example, reducing failed login attempts, setting up multi-factor authentication (MFA) and deploying enterprise password management to automate the creation, storage and secure access to complex unique credentials.
For companies looking to implement the new NIST-recommended requirements, the first step is a comprehensive audit of current policies and processes. This is followed by technical modification of systems to support longer passwords, the ability to use spaces and special characters, while removing unnecessary complexity requirements for character combinations. The blocklist should be regularly updated and linked to external leak databases. Furthermore, it is advisable to increase the level of security through multi-factor authentication and to introduce effective training and communication for users on new developments, including the introduction of password management tools. These tools are key because of their ability to generate strong passwords and eliminate reuse across services.
The new NIST requirements are not mandatory for all organizations, but many regulated industries (finance, healthcare, and others) are already incorporating them into their regulatory frameworks. Therefore, from a reliability, flexibility and security effectiveness perspective, it is advisable to implement them now - increasing both your resilience to increasingly sophisticated cyber-attacks and your confidence in audits and compliance checks.
Correct and timely implementation of new password management practices is the cornerstone of cybersecurity. A comprehensive approach that includes process review, technology adjustments, implementation of modern tools and employee training provides the best protection against data compromise and ensures a high level of security throughout the organization. If you are interested in a security audit, setting up a corporate password manager, or implementing multi-factor authentication, please contact us.