{“lastseen”:”2025-10-10T16:54:00″,”description”:”It\u2019s once again time to change your passwords, but if one government agency has its way, this might be the very last time you do it. \\n\\nAfter nearly four years of work to update and modernize its guidance for how companies, organizations, and businesses should protect their systems and their employees, the US National Institute of Standards and Technology has released its latest guidelines for password creation, and it comes with some serious changes.\\n\\nGone are the days of resetting your and your employees\u2019 passwords every month or so, and no longer should you or your small business worry about requiring special characters, numbers, and capital letters when creating those passwords. Further, password \u201chints\u201d and basic security questions are no longer suitable means of password recovery, and password length, above all other factors, is the most meaningful measure of strength.\\n\\nThe newly published rules will not only change the security best practices at government agencies, they will also influence the many industries that are subject to regulatory compliance, as several data protection laws require that organizations employ modern security standards on an evolving basis.\\n\\nIn short, here\u2019s what NIST has included in its updated guidelines:\\n\\n * Password \u201ccomplexity\u201d (special characters, numbers) is out.\\n * Password length is in (as it has been for years).\\n * Regularly scheduled password resets are out.\\n * Passwords resets used strictly as a response to a security breach are in.\\n * Basic security questions and \u201chints\u201d for password recovery are out.\\n * Password recovery links and authentication codes are in. \\n\\n\\n\\nThe guidelines are not mandatory for everyday businesses, and so there is no \u201cdeadline\u201d to work against. But small businesses should heed the guidelines as probably the strongest and simplest best practices they can quickly adopt to protect themselves and their employees from hackers, thieves, and online scammers. In fact, according to Verizon\u2019s 2025 Data Breach Investigations Report, \u201ccredential abuse,\u201d which includes theft and brute-force attacks against passwords, \u201cis still the most common vector\u201d in small business breaches.\\n\\nHere\u2019s what some of NIST\u2019s guidelines mean for password security and management.\\n\\n## 1\\\\. The longer the password the stronger the defense\\n\\n\u201cPassword length is a primary factor in characterizing password strength,\u201d NIST said in its new guidance. But exactly how long a password should be will depend on its use.\\n\\nIf a password can be used as the _only_ form of authentication (meaning that an employee doesn\u2019t need to _also_ send a one-time passcode or to confirm their login through a separate app on a smartphone), then those passwords should be, at minimum, 15 characters in length. If a password is just one piece of a multifactor authentication setup, then passwords can be as few as 8 characters.\\n\\nAlso, employees should be able to create passwords as long as 64 characters.\\n\\n## 2\\\\. Less emphasis on \u201ccomplexity\u201d\\n\\nRequiring employees to use special characters (\\u0026^%$), numbers, and capital letters doesn\u2019t lead to increased security, NIST said. Instead, it just leads to predictable, bad passwords.\\n\\n\u201cA user who might have chosen \u2018password\u2019 as their password would be relatively likely to choose \u2018Password1\u2019 if required to include an uppercase letter and a number or \u2018Password1!\u2019 if a symbol is also required,\u201d the agency said. \u201cSince users\u2019 password choices are often predictable, attackers are likely to guess passwords that have previously proven successful.\u201d\\n\\nIn response, organizations should change any rules that require password \u201ccomplexity\u201d and instead set up rules that favor password length.\\n\\n## 3\\\\. No more regularly scheduled password resets\\n\\nIn the mid-2010s, it wasn\u2019t unusual to learn about an office that changed its WiFi password every _week_. Now, this extreme rotation is coming to a stop.\\n\\nAccording to NIST\u2019s latest guidance, passwords should only be reset after they have been compromised. Here, NIST was also firm in its recommendation\u2014a compromised password _must_ lead to a password reset by an organization or business.\\n\\n## 4\\\\. No more password \u201chints\u201d or security questions\\n\\nDecades ago, users could set up little password \u201chints\u201d to jog their memory if they forgot a password, and they could even set up answers to biographical questions to access a forgotten password. But these types of questions\u2014like \u201cWhat street did you grow up on?\u201d and \u201cWhat is your mother\u2019s maiden name?\u201d\u2014are easy enough to fraudulently answer in today\u2019s data-breached world.\\n\\nPassword recovery should instead be deployed through recovery codes or links sent to a user through email, text, voice, or even the postal service.\\n\\n## 5\\\\. Password \u201cblocklists\u201d should be used\\n\\nJust because a password fits a list of requirements doesn\u2019t make it strong. To protect against this, NIST recommended that organizations should have a password \u201cblocklist\u201d\u2014a set of words and phrases that will be rejected if an employee tries to use them when creating a password.\\n\\n\u201cThis list should include passwords from previous breach corpuses, dictionary words used as passwords, and specific words (e.g., the name of the service itself) that users are likely to choose,\u201d NIST said.\\n\\nCurious where to start? \u201cPassword,\u201d obviously, \u201cPassword1,\u201d and don\u2019t forget \u201cPassword1!\u201d\\n\\n## Strengthening more than passwords\\n\\nPassword strength and management are vital to the overall cybersecurity of any small business, and it should serve as a first step towards online protection. But there’s more to online protection today. Hackers and scammers will deploy a variety of tools to crack into a business, steal its data, extort its owners, and cause as much pain as possible. For 24\/7 antivirus protection, AI-powered scam guidance, and constant web security against malicious websites and connections, use Malwarebytes for Teams.”,”published”:”2025-10-10T15:06:15″,”modified”:”2025-10-10T15:06:15″,”type”:”malwarebytes”,”title”:”Your passwords don\\u0026#8217;t need so many fiddly characters, NIST says”,”source”:””,”references”:””,”id”:”MALWAREBYTES:83B3D4FA12FF4C24FFA51E615E4D1527″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2025\/10\/your-passwords-dont-need-so-many-fiddly-characters-nist-says”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-10T16:54:00″,”description”:”It\u2019s once again time to change your passwords, but if one government agency has its way, this might be the very last time you do…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-21055","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n