Current NIST Password Requirements for 2025 (SP800-63b).

What’s gone:

❌ Required uppercase, numbers, and symbols
❌ Mandatory password resets every 90 days
❌ Arbitrary complexity policies

What’s required now:

✅ Minimum 8-character passwords (15+ for privileged accounts)
✅ Password screening against compromised credential databases
✅ Support for passwordless authentication and passkeys

Minimum Password Length Requirements

Password length serves as the cornerstone of NIST's updated authentication framework. While the baseline requirement mandates a minimum of 8 characters, security research reveals that passwords under 8 characters can be cracked within hours using modern computing power.

StrongDM has a good summary.

Normally I use SSH keys (with a password) to login to remote machines. Today I needed to force SSH to use a password to verify a change. Here is the command:

ssh -o PubkeyAuthentication=no user@server.domain.com