What Are the Password Policy Best Practices for 2025?

TL;DR: What Changed About Password Policies and Why It Matters
The old way of doing password policies is finally being left behind. Forced complexity, scheduled password resets, and arbitrary length limits have been replaced by smarter, research-backed recommendations. In 2025, Microsoft and NIST both recommend allowing long passwords or passphrases, removing complexity requirements, banning weak and reused passwords, and eliminating routine password expirations. They also agree that strong password policies only work when paired with multi-factor authentication (MFA). The shift is clear: stop making users jump through hoops and start focusing on real-world risk.

What Does Microsoft Recommend for Password Policies in 2025?

Microsoft has completely rethought what password policy best practices should look like for modern organizations. Gone are the days of forcing users to create complex passwords they can’t remember or requiring them to change those passwords every 90 days. Microsoft now focuses on real-world attack prevention, usability, and the behavioral patterns that lead to compromise.

Here are the key elements of Microsoft’s current guidance:

• Minimum Password Length: Microsoft recommends setting a minimum of 14 characters for passwords. Longer passwords reduce the risk of brute-force attacks and encourage passphrase usage, which users are more likely to remember and less likely to reuse.
• No Composition Rules: You no longer need to require uppercase letters, numbers, or special symbols. Microsoft found that these rules lead users to create predictable patterns, like capitalizing the first letter and adding “1!” at the end. These patterns are easy for attackers to guess. Instead, the focus is on password length and uniqueness.
• Ban Common or Weak Passwords: One of Microsoft’s most important recommendations is to block users from selecting passwords that are known to be weak or commonly used. With Azure AD Password Protection, you can implement both a global banned-password list and custom rules specific to your organization.
• No Mandatory Expiration: Microsoft advises against forcing users to change passwords on a fixed schedule, such as every 60 or 90 days. This leads to weaker passwords and more predictable behavior. Passwords should only be changed when there is evidence they were compromised.
• Prevent Password Reuse: On-prem Active Directory can still enforce password history (for example, remembering the last 24 passwords). Microsoft also recommends educating users not to reuse their work passwords for other systems or websites.
• Always Pair Passwords With MFA: Microsoft considers multi-factor authentication non-negotiable. Even the strongest password becomes irrelevant if an attacker gets past it. With tools like Conditional Access and Smart Lockout, Microsoft encourages using MFA across all user types, especially for privileged accounts.

The shift in thinking is clear: Microsoft wants organizations to prioritize password policies that stop real threats without forcing users into bad habits. That means removing outdated rules, enforcing banned-password lists, and building a culture of secure authentication through education and MFA.

If your password policy encourages predictable behavior, it’s helping attackers more than your users.

What Does NIST Recommend for Password Policy Best Practices?

The National Institute of Standards and Technology (NIST) has taken a strong stance on simplifying password policies while still making them more secure. Their recommendations, outlined in SP 800-63B, have become widely adopted across both government and private sectors. Like Microsoft, NIST is moving away from rigid rules and toward policies that account for real user behavior and modern threats.

Here’s what NIST considers the best practice for password policy:

• Minimum Password Length: NIST requires a minimum of 8 characters, but recommends allowing passwords up to 64 characters or more. Users should be free to use long, memorable passphrases that include spaces and special characters.
• No Complexity Requirements: NIST explicitly discourages forcing users to include a mix of uppercase, lowercase, numbers, or symbols. Research shows these rules do little to improve security and often result in predictable patterns that attackers can guess.
• No Mandatory Password Expiration: NIST advises against scheduled password resets. Users should only change their passwords if there is a known compromise. Like Microsoft, NIST found that forced changes lead to worse passwords, not better ones.
• Block Known Weak or Compromised Passwords: When a user sets or resets a password, NIST recommends checking it against a blocklist of commonly used, breached, or easily guessed passwords. If it matches, the system should reject it.
• Encourage Password Managers: NIST encourages allowing paste functionality in login forms, enabling users to manage long, unique passwords with password managers. They also recommend allowing users to view passwords as they type to reduce mistakes.
• No Password Hints or Security Questions: These recovery methods are considered insecure and should be avoided. Instead, rely on MFA or secure reset processes.
• Use Multi-Factor Authentication: NIST strongly supports using MFA, especially for sensitive systems or high-assurance environments. While their password policy stands on its own, they view MFA as an essential additional layer of protection.

NIST’s philosophy is to build password policies that are secure without being burdensome. By eliminating unnecessary rules and focusing on blocking the worst passwords, they aim to improve both security and user experience.

How Do Microsoft and NIST Password Policies Compare?

Microsoft and NIST may come from different worlds. One comes from corporate and one comes from federal, but their password policy best practices are remarkably aligned in 2025. Both have moved away from outdated thinking and now prioritize usability, length, uniqueness, and threat mitigation over complexity for its own sake.

Here’s how they compare across the most important areas:

Minimum Length

• Microsoft: Minimum of 14 characters
• NIST: Minimum of 8 characters required, 15+ characters encouraged
• Why it matters: Both prioritize length as the most important factor in password strength. Longer passwords, especially passphrases, are harder to crack and easier to remember.

Complexity Requirements

• Microsoft: Recommends removing composition rules entirely
• NIST: Prohibits forced complexity requirements
• Why it matters: Users tend to create predictable patterns when forced to include special characters, which weakens password security instead of improving it.

Password Expiration

• Microsoft: Do not require scheduled changes
• NIST: Do not require expiration unless there’s evidence of compromise
• Why it matters: Forced resets result in trivial changes (like adding a number) and do not protect against real threats. Both organizations now advise against this old practice.

Banning Weak or Compromised Passwords

• Microsoft: Enforce banned-password lists using Azure AD Password Protection
• NIST: Require blocklist screening of passwords during creation
• Why it matters: Both recommend stopping the worst passwords before they’re ever used. This control does more to reduce risk than forcing symbols or resets.

Password Reuse

• Microsoft: Uses password history to prevent reuse of recent passwords; encourages users not to reuse passwords across services
• NIST: Doesn’t specify reuse limits, but emphasizes not reusing compromised passwords
• Why it matters: Password history in AD prevents immediate reuse. NIST’s blocklist approach targets reused or previously breached passwords.

Maximum Length and Character Set

• Microsoft: Supports long passwords and passphrases; avoids truncation
• NIST: Recommends supporting up to 64 characters with all ASCII/Unicode characters
• Why it matters: Letting users choose longer and more flexible passwords improves both security and usability.

Multi-Factor Authentication

• Microsoft: Strongly recommends MFA for all users, especially admins
• NIST: Encourages MFA in all environments and requires it for higher-assurance access
• Why it matters: Both agree that passwords alone are not enough. MFA prevents stolen credentials from turning into breaches.

Still forcing 90-day resets and special character rules? That’s not making your environment safer. It’s making it easier to exploit.

What Is the Best Practice for Password Reuse and Expiration?

For years, IT departments forced users to change their passwords every 60 or 90 days, and many still do. But both Microsoft and NIST now agree that routine password expiration is not only unnecessary, it can actually weaken security. The same applies to password reuse. The best practice for password policy today is to change passwords only when necessary and ensure users never recycle credentials, especially across systems.

Why Expiration Is Outdated

Users rarely create strong new passwords when forced to change them frequently. Instead, they make predictable adjustments, such as turning “Password2023!” into “Password2024!”. These minor changes are easy for attackers to guess and do nothing to protect the account.

Microsoft recommends disabling scheduled password expiration entirely unless there is a known compromise. NIST says the same: only change a password if there is evidence it has been stolen, leaked, or guessed. These recommendations are based on years of data showing that forced resets encourage poor password behavior and offer little protection in return.

How to Handle Password Reuse

Preventing reuse is critical, especially in enterprise environments. Microsoft still recommends enabling password history in Active Directory, typically remembering the last 24 passwords, to stop users from immediately reusing their previous ones. More importantly, Microsoft urges organizations to educate users not to reuse their work passwords on any other websites or services.

NIST takes a slightly different approach. Rather than tracking reuse within the same system, NIST focuses on stopping the reuse of passwords that are known to be weak or already compromised. During password creation or reset, organizations should compare new passwords against dynamic blocklists that include common and leaked passwords.

So What Should You Do?

• Do not force periodic password changes unless a compromise has occurred
• Block known weak or breached passwords at the time of creation
• Prevent reuse of recent passwords with history enforcement in AD
• Educate users not to reuse their enterprise credentials on other platforms

By eliminating unnecessary expiration policies and focusing on smarter controls, organizations improve both security and usability. That balance is the foundation of modern password policy best practices.

What About Account Lockout Policy Best Practices?

Account lockout policies are meant to protect against brute-force attacks and password guessing, but if configured too aggressively, they can become an easy way for attackers to cause denial-of-service conditions. That’s why both Microsoft and NIST have shifted toward smarter, more balanced recommendations.

What Microsoft Recommends

Microsoft provides two main options depending on your organization’s environment:

• Option 1: Set a lockout threshold of 10 failed attempts.
  This allows legitimate users a chance to correct their mistakes while still stopping automated attacks.
• Option 2: Set the threshold to 0 (no lockout), but only if you have strong monitoring in place.
  This prevents attackers from locking out users intentionally, which is a tactic used to disrupt operations.

Microsoft also recommends setting:

• Lockout duration to 15 minutes
• Reset account lockout counter to 15 minutes or less
• Smart Lockout in Azure AD, which tracks sign-in attempts across IPs and users to block malicious behavior without locking out legitimate users

What NIST Recommends

NIST takes a slightly different approach. Instead of focusing on lockout thresholds, it emphasizes rate-limiting and delaying authentication attempts. NIST suggests:

• Throttling response times after repeated failed logins
• Avoiding hard lockouts unless necessary
• Providing user-friendly error messages with guidance for next steps

The idea is to slow down attackers without punishing users. Delays of a few seconds between attempts can make brute-force attacks impractical without causing frustration for real users.

Best Practices for Lockout Policies

• Use a lockout threshold between 5 and 10 failed attempts if you are not using Smart Lockout
• Consider Smart Lockout if using hybrid or Azure AD environments
• Set lockout and counter reset durations to 15 minutes
• Avoid low thresholds that can be abused to lock out users
• Monitor for password spray attempts and respond with alerts or rate-limiting
• Combine with MFA to minimize reliance on lockout mechanisms

Lockout policies should protect against abuse without becoming a tool for attackers. When paired with MFA and password blocklists, a reasonable lockout configuration strengthens security without compromising usability.

How Should MFA Be Integrated Into Your Password Policy?

A strong password is no longer enough to stop modern attacks. Phishing, credential stuffing, and password reuse are too common and too effective to rely on passwords alone. That is why both Microsoft and NIST now treat multi-factor authentication, or MFA, as a critical part of any secure authentication strategy.

Why MFA Is Essential

Even a well-constructed password can still be compromised. A user might reuse it on a third-party site that gets breached, or they might unknowingly hand it over during a phishing attack. With MFA in place, a stolen password by itself is not enough. An attacker would also need a second factor, such as a mobile device or physical key.

Microsoft recommends requiring MFA for all users, especially those with elevated access. Azure AD provides Conditional Access and Security Defaults to help enforce MFA based on user risk, location, or device posture.

NIST also encourages the use of MFA across all environments. Their digital identity guidelines outline assurance levels where MFA is expected when handling sensitive or regulated information. NIST does not require a specific type of second factor, but it supports the use of phishing-resistant methods like security keys, biometrics, or time-based one-time codes.

How to Incorporate MFA Into Your Password Policy

• Require MFA for all users accessing internal or cloud systems
• Apply Conditional Access policies to manage MFA prompts intelligently
• Do not exclude administrative or high-privilege accounts
• Make MFA enrollment and enforcement part of onboarding
• Use MFA to support other policy decisions, such as removing password expiration

MFA strengthens your environment by limiting what a compromised password can do. When used alongside a solid password policy, it helps protect your users and your data from the kinds of attacks that bypass passwords entirely.

MFA is not an upgrade. It’s the minimum. If you don’t enforce it now, someone else will using your credentials.

Want to See What a Modern Password Policy Looks Like in Action?

If your current policy still includes password complexity rules, 90-day expiration cycles, and no MFA, it’s time to rethink it. Most of these legacy requirements no longer protect your users. In fact, they may be doing more harm than good.

Modern password policies rely on longer passphrases, blocklists that stop weak or reused credentials, and multi-factor authentication to reduce the impact of compromised passwords. These are not just theoretical improvements — they are backed by Microsoft, NIST, and years of real-world security data.

At Artifice Security, we help organizations design and enforce password policies that make sense for today’s threat landscape. If you want a second opinion or just need help turning guidance into practical steps, we’re here to help.

Book a free consultation with our team

FAQ: Password Policy Best Practices

About the Author

Jason Zaffuto
Founder and Lead Consultant, Artifice Security

Jason Zaffuto is a cybersecurity veteran with more than 25 years of experience in offensive security, penetration testing, and red team operations. He is the creator of the MPPT (Manually Performed Penetration Testing) methodology and has helped secure critical systems for government agencies, enterprise networks, and cloud-based environments.

Before founding Artifice Security, Jason held roles at Rapid7, NASA, and in military intelligence, where he specialized in real-world attack simulation and advanced threat modeling. He holds certifications including OSCP, OSWE, OSCE, and CISSP, and continues to speak out against misleading industry practices.

Jason’s work is grounded in practical results and clear communication. He believes every security engagement should stand up to real-world threats, not just meet a checklist.

Book a free consultation