From Draft to Final: What’s New in NIST’s Latest Password Guidance?

As digital identity continues to evolve, keeping up with the latest security standards is more important than ever. The National Institute of Standards and Technology (NIST) has long been a trusted authority in this space, and its Special Publication 800-63B, focused on digital authentication and password management, just received a significant update. Introducing several key updates from the earlier draft, reflecting on real-world threats and usability concerns.

NIST SP 800-63B-4 Second Public Draft, Digital Identity Guidelines: Authentication and Authenticator Management

If you’re responsible for identity management, cybersecurity, or user experience, here’s what you need to know about the changes between the draft and final versions of the latest guidance.

(Previous blog – Navigating the Impact of NIST 800-63B-4’s New Password Guidelines on Your Organization – Intercede)

Why the Update?

The way we interact with digital systems has shifted dramatically in just a short time. Traditional passwords are increasingly seen as a weak link, vulnerable to phishing, brute-force attacks, and poor user practices. Meanwhile, new technologies like passkeys and syncable authenticators are gaining traction, offering a more secure and user-friendly alternative.

Recognising this shift, NIST released a supplement to SP 800-63B that reflects the growing adoption of phishing-resistant authentication and the need for modernised guidance. The final version builds on the draft with clearer definitions, updated threat models, and practical implementation advice.

Major Changes from Draft to Final

1. Embracing Syncable Authenticators

One of the most notable additions is support for syncable authenticators, credentials that can be securely synchronised across a user’s devices. This includes passkeys, which are cryptographic credentials stored in the cloud and used for passwordless login.

The final guidance clarifies how these authenticators can be used at different Authenticator Assurance Levels (AALs), particularly AAL2 and AAL3, where phishing resistance is a key requirement.

2. Password Policy Reinforcement

One of the most impactful aspects of NIST’s updated guidance is its continued rejection of outdated password policies. The final version of SP 800-63B reinforces a more modern, evidence-based approach to password management, one that prioritises both security and usability.

• Periodic password expiration – NIST strongly discourages the use of periodic password expiration policies, those that require users to change their passwords every 60 or 90 days. Research has shown that these policies often lead to weaker security outcomes. Users tend to make minimal changes (e.g. adding a number or symbol to the end), which attackers can easily guess. Instead, NIST recommends that passwords only be changed when there is evidence of compromise.
• Complexity requirements – gone are the days of requiring passwords like P@ssw0rd!123. The final guidance confirms that composition rules, such as mandating uppercase letters, numbers, or special characters are not only unnecessary but can also reduce security. These rules often lead to predictable patterns and increase user frustration. NIST now encourages allowing users to create longer (at least 15 characters), more memorable passphrases (e.g. “correct horse battery staple”) that are easier to remember and harder to crack.
• Screening against compromised credentials – rather than relying on chance complexity, NIST recommends a more effective strategy: screening user-selected passwords against known breached password lists. This ensures that users aren’t choosing credentials that have already been exposed in data leaks.

This approach prioritises usability and security, reducing the burden on users while maintaining strong protection.

3. Updated Threat Models

As digital identity systems evolve, so too must the threat models that underpin them. The final version of NIST SP 800-63B, introduces a more forward-looking approach to threat modelling. Especially considering emerging technologies like syncable authenticators and cloud-based credential storage.

These updates are designed to help organisations better and to implement appropriate safeguards.

• Credential syncing across devices – with the rise of passkeys and other syncable authenticators, credentials are no longer tied to a single device. Instead, they can be securely synchronised across a user’s phone, tablet, laptop, and even cloud accounts. While this improves usability, it also introduces new risks:
  • Unauthorised access if a cloud account is compromised.
  • Credential leakage during sync operations if encryption is weak or improperly implemented.
  • Loss of control over where and how credentials are stored.

• Cloud-based storage risks – Storing credentials in the cloud, whether through a browser, operating system, or third-party service creates a broader attack surface. Threats include:
  • Insider threats from cloud service providers.
  • Cross-platform vulnerabilities that could expose credentials on less secure devices.
  • Data breaches that could compromise large volumes of authentication data.

To address this, NIST recommends implementing phishing-resistant authenticators, hardware-backed security modules, and robust access controls for cloud-stored credentials.

• Device compromise scenarios – even the most secure authentication method can be undermined if the device it runs on is compromised. The updated threat model accounts for:
  • Malware that intercepts or manipulates authentication flows.
  • Rooted or jailbroken devices that bypass OS-level protections.
  • Physical theft of devices that store syncable credentials.

Mitigation strategies include:

• • Biometric or PIN-based local authentication before credential use.
  • Remote wipe capabilities for lost or stolen devices.
  • Continuous monitoring for signs of compromise or unusual behaviour.

4. Usability and Accessibility

Security shouldn’t come at the cost of accessibility. The updated guidance emphasises the importance of inclusive design, ensuring that authentication methods are usable by people with disabilities and across a wide range of devices and platforms.

5. Secure Storage of Passwords

Storing passwords securely is just as important as how they’re created. According to NIST SP 800-63B, passwords (or any memorised secrets) must never be stored in plaintext. Instead, they should be protected using strong, modern cryptographic techniques.

Key Recommendations:

• Use salted hashing: Each password must be hashed with a unique, per-user salt to prevent attackers from using precomputed hash tables.
• Apply a slow hashing algorithm: NIST recommends using memory-hard, one-way functions such as PBKDF2, bcrypt, or scrypt. These algorithms are designed to make brute-force attacks significantly more difficult.
• Avoid outdated algorithms: Fast hashing algorithms like MD5 or SHA-1 are no longer considered secure and should not be used for password storage.

Even if an attacker gains access to your password database, proper hashing and salting make it extremely difficult to recover the original passwords. This is a critical layer of defence in the event of a data breach.

What This Means for Organisations

If your organisation is still relying heavily on passwords, now is the time to rethink your strategy. The final version of NIST SP 800-63B encourages a move toward phishing-resistant, passwordless authentication, a shift that not only improves security but also enhances the user experience.

Start by evaluating your current authentication methods. Are they aligned with the latest AAL requirements? Are you prepared to support passkeys or other syncable authenticators? These are the questions that will shape your identity strategy moving forward.

The latest update to NIST SP 800-63B marks a pivotal moment in the evolution of digital identity. By embracing modern authentication methods and retiring outdated password practices, NIST is helping organisations build a more secure and user-friendly future.

MyID family of products will enable you to comply with this new guidance. Let us help you simplify compliance, improve security, and empower your team.

MyID PSM – making your passwords as secure as can be, helps you to comply with password guidance.

MyID MFA – is a secure login and password replacement solution, issuing phishing resistance authenticators.

MyID CMS – helps you issue and manage high-assurance credentials simply, securely and at scale.

Contact us today to schedule your demo.