Published: May 28, 2025
Our new bulletin Cyber Threat Watch has been created to help small businesses stay up to date on the latest threats, news, and events affecting their business. The content has been curated to make cybersecurity easy and accessible for both technical and nontechnical readers.
Featured Cyber News — New Approach to the Digital Identity and Password Management
In August 2024, the National Institute of Standards and Technology (NIST) released the Second Public Draft of SP 800-63-4 Digital Identity Guidelines to help organizations better protect digital accounts. The public comment period closed in October 2024, with the final version expected this year.
For professional services firms, this update reflects a shift in how businesses can safeguard client accounts and sensitive data with a simpler, more effective approach. With World Password Day on May 1 this year, it is a timely opportunity to learn about evolving password practices.
What Are the NIST Digital Identity Guidelines?
The NIST guidelines are federally developed standards for managing digital identities. Originally designed for government use, they are widely adopted in the private sector, particularly by the organizations handling regulated or confidential data.
SP 800-63-4 is the upcoming major revision that covers all three parts below, based on public feedback, research, and evolving technologies.
- SP 800-63A: Enrollment and Identity Proofing (verifying a real person)
- SP 800-63B: Authentication and Lifecycle Management (authenticating a user)
- SP 800-63C: Federation and Assertions (sharing identity across systems)
What’s Going to Change
The new guidelines reflect how people use digital tools today, such as password syncing, password managers, and digital wallets. Key password-related updates are as follows:
| Requirement | Current Guidelines (SP 800-63B-3) | New Guidelines (SP 800-63B-4 Second Draft) |
| Minimum Password Length | Minimum of 8 characters | Minimum of 8; 12-16 characters recommended |
| Maximum Password Length | Not clearly defined; often limited | Up to 64 characters supported |
| Enforced Complexity | Allowed but not required; many systems force mixed use of upper/lowercase, numbers, and special characters. | No forced mix; focus is on length. |
| Password Expiration | Not required unless compromised; many reset every 60–90 days. | Changes required only after known or suspected compromise |
| Password Hints | Allowed | Not allowed |
| Security Questions | Allowed | Not allowed |
| SMS-based MFA | Allowed but discouraged | Strongly discouraged; app– or hardware-based MFA recommended |
| Breached Password Checks | Recommended | Required; must check against known breached lists |
| Password Manager Use and Support | Use suggested; paste from password manager should be allowed. | Use strongly encouraged; paste from password manager must be allowed. |
| Character Support | Only basic ASCII characters supported | ASCII, Unicode, and space characters supported |
Why This Update Matters
Beyond password rules, the updated version introduces broader improvements. Remote identity verification via video calls, kiosks, or other self-service options streamlines authentication. To meet fraud detection requirements, systems must include ways to detect suspicious behavior, such as unusual logins or repeated failed attempts. Privacy and accessibility are enhanced by limiting data collection, requiring clear disclosures, and ensuring access for users with limited technology. Support for digital wallets like portable user-controlled credentials enables secure, passwordless logins—advancing user experience while aligning with compliance frameworks like HIPAA, SOC 2, and ISO 27001.
Next Steps: What Your Business Should Consider
Looking ahead, the following recommendations reflect NIST’s intended direction and serve as a practical basis for preparation, allowing your business to start considering changes.
- Update Password Policies
- Require longer passwords (12+ characters)
- Remove forced complexity and periodic reset rules
- Block Risky Passwords
- Use a password blacklist (also called a breach blocklist) to block known weak or compromised passwords
- Enable Strong MFA Methods
- Implement app-based (e.g., authenticator apps) or hardware-based (e.g., security keys) MFA, instead of SMS
- Implement app-based (e.g., authenticator apps) or hardware-based (e.g., security keys) MFA, instead of SMS
- Remove Hints and Security Questions
- Eliminate these from login and recovery processes
- Eliminate these from login and recovery processes
- Support Password Managers
- Allow copy/paste and long-character input
- Modernize Identity Verification
- Consider remote options like video or kiosk-based ID checks
- Implement Basic Fraud Checks
- Set up alerts to monitor unusual login behavior
Conclusion
The upcoming NIST update is more than a password refresh—it offers a smarter, more practical approach to managing digital identity and passwords. Professional services firms, particularly those with regulated clients or systems, will benefit from early planning to ensure better protection of client information, smoother operations, and improved readiness for future security and compliance demands.
The NCSS encourages businesses to adopt comprehensive security practices and stay informed about evolving cybersecurity requirements. We recommend you consider becoming an NCSS member to access a wide range of our services. For more information, visit our Small Business page.
References
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-4.2pd.pdf
https://scytale.ai/resources/2024-nist-password-guidelines-enhancing-security-practices/
https://sprinto.com/blog/nist-password-guidelines/
https://linfordco.com/blog/nist-password-policy-guidelines/
https://www.hipaajournal.com/nist-password-guidelines-update-2024/
About the NCSS
The National Cybersecurity Society (NCSS) is committed to improving the online safety and security of the small business community through education, awareness, and advocacy. As a 501(3)(c) organization, the NCSS uses funds from charitable donations and grants to develop educational materials, webinars, weekly cyber tips, videos, and how-to-guides. The organization’s goal is to enable and empower small and medium businesses to obtain cybersecurity services, assist them in understanding their cyber risk, and advise on the type of protection needed. We want to continue to grow our community and encourage you to tell other small businesses we are here to help.
The NCSS is committed to respecting the use of images in our communication efforts. Accordingly, unless otherwise specifically noted, the graphics in our bulletin are sourced under license from Adobe Stock. The header and footer images were designed and purchased through a contract with Eyedea Advertising & Design Studio.