A
password policy defines requirements: minimum length, complexity, expiration, history, and lockout. NIST SP 800-63B now recommends: long passphrases, no mandatory rotation (unless compromised), check against breach lists.
New NIST guidance: minimum 8 chars (12+ recommended), no forced rotation, no complexity rules — they cause weak patterns (Password1!). Check passwords against HaveIBeenPwned. Length beats complexity.