I see this as a first great step in the direction of "when security becomes too restrictive, it may cause worse or even more unsecure issues to arise". For example, when requireing a individual to change a complex password every 60-90 days (ex. must have 1 of each character type not to have more than two of the same....) it causes a situation where not only the person many time only replaces or adds the next characther (ex. Scott@1 to Scott@2 or Scott@12 then Scott @123) but many times will end up writing it down either in a file or a notebook somewhere. Although many may encrypt the written password change somewhere, majority will not.
Just last week there was NIST Blog by Mike Garcia called "Easy Ways to build a Better P@$$w0rd": https://www.nist.gov/blogs/taking-measure/easy-ways-build-better-pw0rd.
I strongly agree with the concept of using associations that are unique to you. More importantly, if you have to use passphrases at all, it is more and more necessary to utilize Multi-factor Authentication, whereever possible.
The most challenging outcomes of the many breaches reported in the last fews years are:
1. easily guessed and short passwords
2. password reuse.
Troy Hunt wrote a great blog about this very issue here: https://www.troyhunt.com/password-reuse-credential-stuffing-and-another-1-billion-records-in-have-i-...
Once we focus in increased length of passphrases versus complexity and ensure there is no password reuse, credential stuffing goes away. When we increase the length and ensure uniqueness of passwords for each individual service we use, Password Managers become a necessity.
Aside from our social and personal spaces, when it comes to credential protections in the enterprise, Privileged Access Management conversations are becoming more and more prevalent overall.
As others have said, what really matters is when the auditors and QSAs update *their* checklists. As long as businesses continue to get digned in audits for *not* expiring passwords every 90 days, they will continue to do so.
What do *I* think of NIST guidance? I think it is fine, and a net positive for business in general. I think they should be adopted ASAP, but they won't be adopted until the auditors buy in.
I join those who applaud the update from NIST. Having said that, I am surprised they didn't increase the 8 character minimum, even for non-privileged/sensitive accounts. We will likely go with 15 character passphrases. We may also use the lack of an expiration as an incentive to adopt 2FA.
As an auditor, all I can do is audit against my organizations password policy. Until my organization changes their policy all I can do is report that the policy does not line up wiht NIST. And until the regulators change their requiremnts, my organization's policy will stay exactly as it is...
Which brings me back to your point, when will we see changes from the various regulating bodies.
I would recommend you do an audit of your user passwords and then you should get a good idea if your password policy is actually working for you, regardless of NIST recommendations. My experience has shown me that changing passwords every 30 days whilst might feel secure just forces users to adopt common themes for passwords and write them down. This makes password guessing incredibly easy!
User education can work for some individuals however more often and not you are trying to change peoples habits which is a longer term problem, usually about 12 weeks of following a new pattern to adopt a new behaviour.
In summary, moving to a longer period (no more than 90 days) is in most cases more secure however, I would suggest increase the minimum length as well backed up with strong user eductation to promote passphrases and lack of themes.