Home

Spiceworks Community Digest: No more forced password resets!

Shelby Green Shelby Green
October 17, 2025
Stop making password management a chore for your users.
(Credits: mayu85/Shutterstock)

It’s Cybersecurity Awareness Month! The National Institute of Standards and Technology (NIST) has once again updated its guidance which is bringing a shift from strict complexity to practical usability and length.

The key changes focus on:

  • Length over complexity (longer passphrases are better than complex, short ones).
  • Elimination of regularly scheduled forced resets (unless a breach occurs).
  • Mandatory use of password blocklists (to ban common or compromised passwords).

We asked the community about their experience with these new guidelines, and it’s clear that while the industry is slowly moving in the right direction, many IT pros are still battling legacy systems and compliance auditors clinging to outdated rules.

New Password Paradigm

The core of the NIST update was very popular amongst IT professionals.

  • Ode2joy: “These were the first two things I implemented when I started this gig six years ago. The password length requirement was ridiculously short, so I bumped that up and forced any that didn’t comply to be changed, but then placated everyone by telling them no more forced password expirations. There was much rejoicing.”
  • sanmart: “I like the focus on longer, memorable passphrases instead of complex passwords. It makes them easier to remember and more secure. I’ve already switched to passphrases and stopped using forced resets unless there’s a breach. The idea of password blocklists is great too.”
  • MB13977: “Nice to see NIST catching up with the guidance other standards have been giving for several years now.”

Legacy Tech, Auditors, and Mixed Messages

Despite NIST’s clear guidance, many IT departments are stuck between modern security needs, ancient hardware limitations, and compliance bodies.

  • DailyLlama: “We can’t require a password longer than 7 characters because of a baked in password in an app based in SQL2014 (which is also preventing us moving our entire estate to Windows 11), but we are telling people that we require a 13 character password. So they are all creating 13 character passwords…”
  • jameswalker20: “I find it funny, in a sad way, @PatrickFarrell. PCI/DSS has those password requirements, but my bank login password is restricted to eight characters.”
  • ITisMagic: “It’s funny how passphrases are touted here (which I absolutely agree with), but everywhere else is still pushing complex passwords that are just a mess of alphanumeric characters. Do these organizations even communicate with each other?”
  • spiceuser-m93fv: “Only if all Sites allowed me to enter a 20-character passphrase”

The push for length, passphrases, and blocklists is a huge step for usability and security, but as the IT pros show, implementing it across a sprawling digital estate is the real challenge. Join the conversation in the Spiceworks Community and tell us what you’ve implemented.

Shelby Green
Shelby Green

Shelby Green is a seasoned content writer with 8 years of experience in the tech and IT industry. She's passionate about helping companies in the cybersecurity, SaaS, supply chain, and tech skill development spaces tell their stories.
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.

Recommended Reads

AI cyberattacks: How hackers used AI to automate espionage
Security

AI cyberattacks: How hackers used AI to automate espionage

When disaster recovery plans fail in real disasters
Security

When disaster recovery plans fail in real disasters

How to balance privacy and security with the need for speed
Security

How to balance privacy and security with the need for speed

Quantum computers will crack your encryption. Now what?
Security

Quantum computers will crack your encryption. Now what?

How to tackle AI sprawl
Software

How to tackle AI sprawl

Ready, fire, aim: Corporate AI strategy ignores the risks
Security

Ready, fire, aim: Corporate AI strategy ignores the risks