6 min read
2026-03-10
The US National Institute of Standards and Technology (NIST) has revised its password guidelines. Many of the usual rules turned out to be counterproductive.
**Old approach**: minimum 8 characters, numbers, special characters, mixed case required.
**New NIST**: minimum 8 characters, but **15+ recommended**. Complexity is not required if the password is long enough.
Why? “Tr0ub4dor&3” is easier to crack using brute force than “correct horse battery staple” (32 characters, memorized).
**Old approach**: change your password every 90 days.
**New NIST**: change password **only if compromised**. Forced rotation forces the use of weak, predictable passwords (Password1! → Password2! → Password3!).
Hints and questions (mother's maiden name, pet's name) are easily guessed through social networks.
When creating a password, you need to check it against the database of known leaks (Have I Been Pwned). Compromised passwords are prohibited.
All Unicode characters are allowed, including spaces and emoji.
| Category | Recommendation |
|---|---|
| Length | Minimum 15 characters |
| Composition | Random words or symbols |
| Uniqueness | Different password for each service |
| Storage | Password Manager |
| 2FA | Required for important accounts |
**Brute force** - trying all combinations (length is most important)
**Dictionary** - use databases of known passwords
**Rainbow tables** - hashes are pre-computed (protection - salt)
**Phishing** - not related to password complexity
Password generator creates cryptographically random passwords of any length and composition.
See also: Password Strength Checker, Hash Generator, UUID Generator