Most enterprise password policies were designed in the early 2000s and haven't kept up with what we now know about how people actually behave — and how attackers actually work. Here's what NIST's current guidelines say, and what teams should actually implement.
What the old policies got wrong
Traditional enterprise password policies typically required: 8-character minimum, uppercase + lowercase + number + symbol, mandatory rotation every 60–90 days. This approach had a logical basis, but it failed in practice because it ignored human psychology.
When forced to rotate passwords regularly, users don't generate fresh random passwords — they make minimal changes: Password1! becomes Password2!, then Password3!. When required to include symbols, they append !. When required to remember complex passwords, they write them on sticky notes or reuse them everywhere.
⚠️ NIST now recommends against: Mandatory periodic rotation without evidence of compromise, overly complex composition rules (which lead to predictable patterns), security questions (which are easily guessed or researched), and password hints.
NIST SP 800-63B: the current standard
NIST's current Digital Identity Guidelines (SP 800-63B, updated 2024) recommend:
- Minimum 8 characters (with longer being better — allow up to 64+)
- Check against breach databases — reject known compromised passwords
- No mandatory rotation unless there's evidence of compromise
- No complexity rules that lead to predictable patterns
- Allow all printable characters including spaces
- Require MFA for all users, especially privileged accounts
What actually works for teams
✅ Mandate a password manager
Provide an enterprise password manager (1Password Teams, Bitwarden Business) and require its use. This is the single highest-impact policy change you can make.
✅ Require MFA everywhere
Phishing-resistant MFA (hardware keys or TOTP) on all accounts. Accept no exceptions for "inconvenience." The risk of an account compromise vastly outweighs the friction.
✅ Monitor for breached credentials
Integrate with Have I Been Pwned's API or an enterprise service to check if employee credentials appear in breach databases and require immediate password changes.
✅ Train on phishing recognition
Run regular phishing simulations and training. Password strength is irrelevant against a successful phish — recognition is the only defense.
✅ The modern policy in one sentence: Use a password manager for unique random passwords, require MFA on all accounts, monitor for breached credentials, and train employees to recognize phishing.