Which NIST standard offers the latest guidance on password compliance and changes traditional password policy elements?

NIST 800-63 provides the most recent guidance on password compliance by introducing updated practices that significantly shift the traditional approach to password policies. This standard emphasizes a risk-based approach to identity proofing and authentication, which includes guidelines for ensuring secure password management.

One of the key changes is the recommendation to allow users to create longer passwords or passphrases rather than adhering strictly to complex character requirements. This change acknowledges that memorable, longer passwords can enhance security while reducing the chances of users resorting to insecure practices, such as writing down passwords or reusing them across different sites.

Additionally, NIST 800-63 advises against periodic password changes unless there is evidence of compromise, which counters older practices of enforcing frequent updates that often lead to weaker password choices. Overall, the guidance of NIST 800-63 represents a significant evolution in how organizations should approach password management, focusing on usability and security.

The other NIST standards listed do not specifically focus on modern password policies and compliance in the same way as NIST 800-63. Those standards cover broader aspects of security controls, incident response, and network security but lack the dedicated focus on user authentication and password management found in NIST 800-63.