Current NIST Password Requirements for 2025 (SP800-63b).

What’s gone:

❌ Required uppercase, numbers, and symbols
❌ Mandatory password resets every 90 days
❌ Arbitrary complexity policies

What’s required now:

✅ Minimum 8-character passwords (15+ for privileged accounts)
✅ Password screening against compromised credential databases
✅ Support for passwordless authentication and passkeys

Minimum Password Length Requirements

Password length serves as the cornerstone of NIST's updated authentication framework. While the baseline requirement mandates a minimum of 8 characters, security research reveals that passwords under 8 characters can be cracked within hours using modern computing power.

StrongDM has a good summary.