Passwords are a pain for most users. While there has been talk of eliminating passwords, the alternatives are nowhere in sight. Will password tyranny continue in 2025, or is there hope of making cyberspace more user-friendly?

The simple answer is that passwords will remain the de-facto and most popular authentication mechanism in 2025. Passwordless authentication and other alternatives to passwords are still some years away.

The Current State of Password Security

A 2019 Google / Harris Poll study shows that three out of four respondents struggle with their passwords.  And most users opt for weak passwords when they have a choice.  44% of employees reuse passwords across work and personal accounts. 31% of them use their children’s names as passwords.

The stringent password rules enforced by validators often complicate password management. At times, these rules, intended to enhance security, frustrate users and have the opposite effect.

Here are the latest trends and best practices for ensuring safe and reliable passwords in 2025.

Password Length and Structure

As a rule of thumb, the longer the password, the more difficult it is for hackers to crack it. A longer password increases the number of possible combinations. In brute-force attacks, the hacker tries all possible combinations until it finds the correct one. Longer passwords make brute-force exploits that much more difficult. For each additional character, the number of possible combinations multiplied by 94.

The latest US NIST Digital Identity Guidelines, SP 800-63 mandate a minimum length of eight characters. It also recommends a minimum of 15 characters. Computing systems also have to allow passwords up to 64 characters in length. The flexibility in length allows users to create more complex passwords than even what the standards recommend.

The latest PCI DSS 4.0 standards, which will come into effect by March 2025, mandate a password length of a minimum of 12 characters.

The SPC2 standards mandate 12 to 16 characters in passwords.

The Use of Special Characters

The use of a combination of uppercase, lowercase, numbers, and special characters has been the norm for passwords.

Increasing the number of character types increases the number of password combinations. The diverse character sets also foil directory attacks. In such attacks, hackers try to crack passwords using common words and phrases.

Most password standards, including NIST and OWASP, mandate complexity.  The internal IT policies of most organisations also enforce similar complexity rules.

But these complexity requirements place an extra burden on users. Many users circumvent the onerous requirements through predictable patterns. They may use passwords, such as ‘Password123’ that hackers guess with ease.

The use of long passwords with random phases makes the character requirements unnecessary.

As per the latest August 2024 NIST SP 800-63.04 standards, verifiers can no longer insist on specific characters or cases of their choice. The new guidelines allow all 64 printable ASCII characters, including spaces. Users may include even unicode characters, with each character counted as one unit of password length. Unicode characters allow users to set passwords in different languages.

The PCI-DSS standards continue to mandate uppercase and lowercase letters, and special characters.

Using Password Managers

Remembering passwords is a major pain point for users. The difficulty has increased lately as password mandates have become more and more complex.  The difficulty makes users use the same password across accounts, compromising safety.

Password managers create robust passwords and encrypt them. Users can create unique passwords for each account. They can retrieve the password from the password manager app and paste it to log in.

When users use password managers, they tend to create stronger, more secure passwords. Authentication becomes more effortless as well.

The NIST SP 800-63-3 guidelines recommend the use of password managers. State-of-the-art password managers ensure compliance with NIST and other standards.

Password managers have a low adoption rate among users, but the adoption is growing. As of now, only 30% of internet users use password managers to track their passwords.

Discontinuing Knowledge-based Authentication

Knowledge-based authentication has become a popular method of reinforcing passwords. The most common application is security questions to authenticate users who forget passwords.

But such knowledge-based authentication has become very risky. Attackers now use social engineering to crack answers to common questions such as “In which year did you graduate?”

The new NIST SP 800-63.04 guidelines discontinue knowledge-based authentication. Authenticators can no longer use security questions to authenticate users or grant access.

Likewise, systems cannot make password hints accessible to unauthorised users.

Validating Passwords Against a Blacklist

A new trend in password management is blacklisting certain passwords.

The NIST SP 800-63-3 guidelines recommend a check against a “blacklist.” Every time a user creates a new password with some password recommendations, it undergoes a check against a “blacklist.” Such a blacklist thwarts the common tricks hackers have used in the past the gain unauthorised entry. If the password set by the user shows up on this blocklist, the system will not accept it. 

Validating passwords improves protection against credential-stuffing attacks. Hackers can breach multiple accounts if they get their hands on a password through one compromised site.  A Google/Harris survey reveals that 52% of people reuse passwords across many accounts.

The Use of Multi-Factor Authentication

Multi-factor authentication has become popular as an additional layer of protection. And it has proven to be very successful. Microsoft estimates MFA-enabled accounts to be 99.9% less likely to be compromised.

The NIST standards recommend MFA for protecting personal information. It also specifies what can constitute a component of MFA and what cannot. For instance, the standards allow smart cards and authenticator apps, among other authenticators. But it does not allow email and VoIP)as these mediums are not considered out-of-band authenticators. It also discourages SMS-based OTPs since OTPS remain vulnerable to SIM swapping attacks and phishing.

User adoption of MFA remains low. A recent GetApp survey estimates only 55% of respondents use two-factor authentication by default.

Are Mandatory Password Resets on the Way Out?

The requirement to reset passwords originated decades ago when people used guessable passwords.

But such requirements have been a sore point among users.

Today, most services require robust, multi-character passwords or passphrases. Forcing users to change such strong passwords often weakens security. The extra burden prompts users to create simple, easy-to-remember passwords. They may also save passwords in insecure ways.

32% of users keep track of their passwords using pen and paper. 23% of users maintain a list of passwords on their computers, and 20% use emails to store their passwords.

A key recommendation of the new NIST SP 800-63 guidelines is ending mandatory password resets. Password verifiers cannot require password changes except when there is a security compromise.

But the PCI DSS 4.0 guidelines continue to mandate password resets at least once every 90 days. Users are exempt from such resets only if they use continuous, risk-based authentication.

Likewise, SOC2 standards force password changes at least once every sixty to ninety days.

Cyber-security solutions from vendors such as Kaspersky enable users to set up strong passwords. These tools also help enterprises keep up with the latest password standards. Kaspersky password manager helps users generate strong and unique passwords for each account. Users can store passwords in encrypted vaults, accessible with an equally strong master password. These tools also offer value-added features such as health checks to analyse and detect weak or compromised passwords.