TL;DR: NIST’s latest Digital Identity Guidelines move away from mandatory complexity rules and periodic password changes, while reinforcing longer passphrases, password manager support, blocklists for breached credentials, and phishing-resistant options such as passkeys, according to Descope. The practical lesson is that password policy should reduce predictable human workarounds, not preserve outdated assumptions about how users behave.
NHIMG editorial — based on content published by Descope: NIST password guidelines and what changed in the latest Digital Identity Guidelines
By the numbers:
- The average user clocks in at 225 passwords, according to NordPass.
Questions worth separating out
Q: How should organisations move away from password-only authentication without breaking access?
A: Start with the highest-risk populations first, especially administrators, remote workers, and systems exposed to phishing or credential reuse.
Q: Why do periodic password changes often make security worse?
A: Users usually respond to forced rotation by making small edits to an existing password instead of creating a genuinely new secret.
Q: What do security teams get wrong about password complexity requirements?
A: They often assume more character classes equals stronger identity assurance.
Practitioner guidance
- Remove mandatory periodic rotation for ordinary users Change policy so password resets are required only when there is evidence of compromise or suspicious activity.
- Replace complexity rules with longer passphrases Allow long passphrases, remove forced symbol mixtures, and enable password managers, paste, and show or hide controls so users can create secrets they can actually remember without predictable patterns.
- Deploy breached-password blocklists at the verifier Check candidate passwords against known compromise lists and local deny lists for common, reused, and context-specific values.
What's in the full article
Descope's full blog post covers the operational detail this post intentionally leaves for the source:
- Exact NIST password length thresholds for different assurance scenarios and how they apply in practice
- Practical examples of blocked password patterns, including context-specific terms and commonly breached values
- The user-experience changes NIST supports, such as paste, autofill, and show or hide password controls
- How Descope frames passkeys and phishing-resistant authentication options in its broader auth stack
👉 Read Descope's analysis of the latest NIST password guidance and modern auth changes →
NIST password guidance: are legacy auth controls still failing?
Explore further
Legacy password policy is an identity control designed for a different threat model. Complexity rules and forced rotation were built for a world where the main concern was user memorability, not phishing, credential stuffing, and large-scale reuse. That model fails when attackers harvest secrets at scale and users adapt by making passwords more predictable. The implication is that many organisations are still measuring security with controls that no longer map to current attack reality.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why secret policy and access review remain operational blind spots in many identity programmes.
A question worth separating out:
Q: Who is accountable when password policy conflicts with modern identity standards?
A: Accountability sits with the identity, security, and risk owners who approve the control framework, not just with end users. If policy still mandates outdated rotation or complexity rules, the organisation owns the resulting friction and the weaker security outcomes that follow.
👉 Read our full editorial: NIST password guidance shows why legacy auth rules still fail