Why Longer Passwords and MFA Matter More Than Ever
For years, one of the most common IT security rules was simple: change your password every 60–90 days. Users groaned, sticky notes appeared, and password patterns got easier—not harder—for attackers to guess.
Today, that guidance has changed.
The National Institute of Standards and Technology (NIST) now recommends a fundamentally different approach to password security—one that focuses on longer passwords, multi-factor authentication (MFA), and fewer forced password changes.
Let’s break down what changed, why it matters, and what organizations should be doing now.
What Is NIST?
NIST is a U.S. government agency within the Department of Commerce. Its mission is to develop standards and guidelines that help organizations improve security, reliability, and interoperability across technology systems.
In cybersecurity, NIST publications—especially NIST Special Publication (SP) 800-series standards—are widely adopted by
- Federal agencies
- State and local governments
- Enterprises and MSPs
- Organizations pursuing SOC 2, CMMC, ISO 27001, or similar compliance frameworks
While NIST standards are not laws by themselves (outside of federal use), they are often considered best practice and heavily influence audits and regulatory expectations.
The Big Shift: No More Routine Password Expiration
Under NIST SP 800-63B (Digital Identity Guidelines), NIST now advises against forcing users to change passwords on a fixed schedule, unless there is evidence of compromise.
Why the Old Rule Failed
Frequent password expiration led to predictable and insecure behavior:
-
Incrementing passwords (
Summer2024!→Fall2024!) -
Reusing passwords across systems
-
Writing passwords down
-
Choosing shorter, easier-to-remember passwords
Ironically, forced rotation often reduced security instead of improving it.
What NIST Recommends Instead
1. Longer Passwords (Passphrases)
NIST emphasizes length over complexity.
-
Minimum recommended length: 15 characters
-
Encourage passphrases instead of complex strings
-
Example:
correct-horse-battery-staple
-
-
Allow spaces and all printable characters
-
Do not require arbitrary complexity rules that hurt usability
- Use different passwords on different systems unless using Single-Sign-On
Longer passwords dramatically increase resistance to brute-force and credential-stuffing attacks.
2. Multi-Factor Authentication (MFA)
MFA is now considered essential, not optional.
NIST recommends MFA—especially for:
-
Remote access
-
Cloud services
-
Administrative accounts
-
Privileged or sensitive systems
Even if a password is compromised, MFA stops the attacker cold in just about all situations.
3. Change Passwords Only When There’s Risk
Instead of scheduled changes, NIST advises password resets when:
-
A breach is suspected or confirmed
-
Credentials appear in known compromise lists
-
Unusual login behavior is detected
This approach is risk-based, not calendar-based—and far more effective.
What This Means for Businesses
Organizations should update their security policies to align with modern guidance:
Recommended Actions
-
Increase minimum password length to 15 characters or longer
-
Eliminate routine expiration for standard users
-
Enforce MFA wherever possible
-
Monitor for compromised credentials
-
Educate users on passphrases and phishing awareness
These changes improve:
-
Security posture
-
User experience
-
Compliance alignment (SOC 2, CMMC, CIS Benchmarks)
Security That Actually Works
NIST’s updated guidance reflects a simple truth:
Security must match how people actually behave.
Longer passwords, fewer forced changes, and strong MFA result in:
-
Fewer compromises
-
Less user frustration
-
Stronger overall defenses
If your organization is still relying on outdated password rules, now is the time to modernize.
Need help updating your password and MFA policies?
MC Services can help ensure your environment aligns with NIST guidance—without making life harder for your users.
