Password Length vs Complexity — What NIST SP 800-63 Says You Should Do
- NIST SP 800-63B recommends prioritizing length over character complexity requirements.
- Mandatory special characters and rotation schedules are no longer recommended.
- At least 8 characters is the minimum; NIST recommends supporting up to 64 characters.
- Blocking known compromised passwords (breach lists) matters more than complexity rules.
Table of Contents
For years, IT policies required passwords with uppercase, lowercase, numbers, and at least one symbol — changed every 90 days. NIST retired that guidance. The current recommendation (NIST SP 800-63B) says length is more important than complexity, mandatory rotation does more harm than good, and blocking breached passwords matters more than character requirements.
What NIST SP 800-63B Actually Recommends
NIST Special Publication 800-63B is the federal standard for digital identity — the framework most US government agencies and many private companies use for authentication policies. The current version broke from decades of convention in several ways:
- Minimum length of 8 characters — but NIST recommends supporting up to 64 characters and encouraging users to use longer passwords
- No mandatory composition rules — do not require uppercase, lowercase, numbers, and symbols if users can choose long passwords freely
- No mandatory periodic rotation — only require password changes when there is evidence of compromise
- Block known compromised passwords — check submitted passwords against breach databases (like Have I Been Pwned's list of 800 million+ leaked passwords)
- No password hints or knowledge-based authentication — security questions are considered unreliable
The rationale: complexity requirements create predictable patterns (Summer2024!), while long random passwords or passphrases are harder to crack without being harder for humans to create.
The Math: Why Length Beats Complexity
Password entropy (the measure of cracking difficulty) scales differently with length versus character variety:
- Adding one character to a password multiplies combinations by the size of the character set
- Adding one more character type (say, adding symbols) multiplies combinations by the number of new symbols available
For a password using uppercase + lowercase + digits (62 possible characters per position), going from 12 to 13 characters multiplies combinations by 62. That is a much larger increase than adding a symbol requirement to a 12-character password.
In practical terms: "treehouse-river-cloud-41" (24 chars, no symbols) is dramatically stronger than "Tr3H0u$e!" (9 chars, full complexity). The former has roughly 20x more entropy despite looking "simpler."
Sell Custom Apparel — We Handle Printing & Free ShippingWhy NIST Says to Stop Mandatory Password Rotation
The logic behind quarterly password rotation was sound in theory: even if a password is stolen, it expires before the attacker can use it extensively. In practice, forced rotation has the opposite effect.
When users know they must change a password every 90 days, they create predictable sequences: Password1 becomes Password2 becomes Password3. Attackers know this pattern and exploit it. Microsoft research found that mandatory rotation dramatically increases the use of weak, predictable passwords.
NIST's revised guidance: change passwords only when there is evidence of compromise (a breach notification, suspicious login activity, or a known data exposure). Keep strong passwords unchanged rather than rotating to weaker predictable ones.
This represents a genuine shift in security thinking — from "security through inconvenience" to "security through actual strength."
What This Means for Your Passwords Today
If your passwords were created under the old rules (8 characters, mandatory complexity, quarterly rotation), here is the practical upgrade path:
- Prioritize length: Replace short complex passwords with longer ones. A 16-character password with only mixed case and digits is stronger than an 8-character password with all four character types.
- Use passphrases for memorable passwords: Four unrelated random words separated by hyphens gives you 25+ characters that are easy to type.
- Stop rotating strong passwords: If a password is long, random, and unique to one service, do not change it unless there is a breach.
- Check for breach exposure: A strong password that has appeared in a breach database is compromised regardless of its strength score. Use a breach checker separately — strength checkers do not cover this.
- Use different passwords per service: NIST emphasis on breach blocking assumes your passwords are unique. Reusing a strong password eliminates the benefit.
What Your Corporate IT Policy May Still Get Wrong
NIST updated its guidelines in 2017 and has refined them since. Most corporate IT policies have not caught up. Common rules that NIST no longer recommends:
- Requiring at least one uppercase, lowercase, number, and symbol in a fixed short window
- Maximum password length limits below 64 characters
- 90-day or 180-day rotation schedules applied universally
- Security questions for account recovery
- Password complexity meters that give green lights to "Summer2024!" but red lights to "correct-horse-battery-staple"
If your organization enforces any of these, the policies were written before the current evidence base. NIST SP 800-63B is publicly available and free to reference when advocating for policy updates.
Check If Your Current Password Meets Modern Standards
Enter any password and see how it scores against length, entropy, and the factors NIST actually recommends measuring. Fully private — nothing leaves your browser.
Open Password Strength CheckerFrequently Asked Questions
Does NIST say to never use special characters?
No. NIST says you should not mandate special characters as a requirement when you can instead encourage longer passwords. Special characters still increase entropy — the point is that length is more effective per policy requirement, and complexity mandates lead to predictable workarounds.
Should I change my passwords every 90 days?
NIST no longer recommends mandatory periodic rotation. Change passwords when there is evidence of compromise — a breach notification, suspicious activity, or a known exposure. Strong, unique passwords can remain unchanged indefinitely if there is no sign of compromise.
What is the minimum password length NIST recommends?
NIST SP 800-63B sets a minimum of 8 characters but recommends supporting up to 64 characters and encouraging users to use longer passwords. For high-value accounts, 16+ characters is considered appropriate by most security practitioners.
If length is more important than complexity, can I use a long dictionary word?
A single dictionary word — even a very long one — is still vulnerable to dictionary attacks. NIST's advice is about length combined with randomness. A long sequence of random characters or unrelated random words provides the benefits. "supercalifragilistic" alone is weaker than "cloud-river-desk-41" because the latter is four unpredictable words.
