User-generated passwords are required to be at least 8 characters in length.
Users can create passwords up to 256 characters in length.
All ASCII/Unicode characters are allowed, including emojis and spaces.
Stored passwords are hashed and salted, and never truncated.
Prospective passwords are compared against password breach databases and rejected if there’s a match.
Passwords do not expire.
Users are allowed 10 failed password attempts before being locked out of a system or service.
Passwords do not have hints.
Complexity requirements — like requiring special characters, numbers or uppercase letters — are not required.
You probably notice that some of these recommendations represent a departure from previous assumptions and standards.
For example, NIST has removed complexity requirements like special characters in passwords; this change was made in part because users find ways to circumvent stringent complexity requirements.
Instead of struggling to remember complex passwords and risking getting locked out, they may write their passwords down and leave them near physical computers or servers.
Or they simply recycle old passwords based on dictionary words by making minimal changes during password creation, such as incrementing a number at the end.