In the technology security domain, an area that has gone through a philosophical shift, is passwords and system authentication.

Earlier, strong security meant more rules, such as requiring at least one capital letter, at least one number, and at least one special character, no reuse, and a mandatory change every 60 or 90 days.

Most of us can still remember creating passwords such as Welcome@123, CompanyName#1, CompanyName1!

For many years, they satisfied policy and passed audits.  However, with growing cyber threats, they failed to protect against attackers’ cracking tools within seconds.

Today, after years of research, breach analytics, and standards like NIST SP 800‑63, password guidance looks almost relaxed by comparison. But that relaxation isn’t about convenience—it’s about real-world security.

What Years of Breach Data Taught Us

As large-scale password breaches became common and attackers gained access to billions of real passwords, researchers began analysing how people actually behave.

What they discovered was uncomfortable but consistent:

• Users follow predictable patterns:
  • Capital letter at the start
  • Numbers and symbols at the end
  • Special characters are reused (!, @, #)
  • Mandatory password changes lead to incrementing passwords such as Companyname1!  → Companyname2!

Attackers know these patterns—and they test them first.

The NIST Shift: Evidence Over Tradition

NIST made a decisive break from legacy thinking with SP 800‑63B. Subsequent updates doubled down on the same message:

Stop forcing complexity. Start focusing on length, screening, and context.

Key changes include:

• No mandatory uppercase, numbers, or symbols
• No periodic password changes unless there is evidence of compromise
• Minimum length of 15 characters for single-factor authentication
• Support for long passphrases (up to 64 characters)
• Mandatory screening against known breached passwords

The rationale behind this change: Length increases security exponentially.

A short, complex password like P@ssw0rd! Falls quickly to modern cracking rigs because attackers know the substitutions and patterns. A long, natural‑language passphrase, even without symbols, creates a search space that is dramatically harder to brute‑force and far easier for humans to remember. This is why NIST explicitly encourages passphrases and allows spaces, Unicode characters, and any ASCII character sets

Another critical shift in recent years is that passwords are no longer expected to carry the full security burden.  Modern standards assume multi-factor authentication (MFA) wherever possible. In this context, making passwords easier to get right actually improves overall security outcomes.

What this means for practitioners in the Technology Security Industry

If your organization still enforces rules such as mandatory special characters, 90-day password rotation, and maximum password lengths of 12–16 characters, you’re not being “stricter.”
You’re being outdated. More importantly, you’re increasing password reuse, helpdesk calls for password resets, and unsafe user workarounds.

The evolution of password standards isn’t a story of weakening security. It’s a story of evolution to design controls that work with human behaviour—not against it.

In case of any queries, please contact Anvay Paranjape at anvay.paranjape@knavus.com