Does Boston Managed IT work with companies with 50 to 100 employees?

Yes. Boston Managed IT specializes in companies with 50 to 150 employees — the size where IT complexity outgrows break-fix support but doesn't justify a large internal IT department. We provide a dedicated IT team, structured helpdesk, Microsoft 365 management, cybersecurity, and virtual CIO services designed specifically for mid-sized businesses in Greater Boston.

What is the right size company for a managed IT provider in Boston?

Managed IT services are most valuable for companies with 25 to 200 employees. Boston Managed IT focuses on the 50 to 150 employee range — organizations large enough to have complex IT needs across multiple users, devices, and cloud systems, but without a full internal IT department. At this size, a managed IT provider delivers better coverage at lower cost than hiring in-house.

What is managed IT services?

Managed IT services means a third-party provider like Boston Managed IT proactively manages your technology infrastructure, helpdesk, cybersecurity, and cloud systems for a flat monthly fee. Instead of calling for help after something breaks, you get continuous monitoring, patching, and support that prevents problems before they cause downtime.

How much does managed IT cost for a 50 to 100 person company in Boston?

For a company with 50 to 100 employees in Greater Boston, managed IT typically costs between $100 and $250 per user per month depending on scope. Boston Managed IT uses flat per-user pricing that includes helpdesk support, 24/7 monitoring, security, Microsoft 365 management, and vendor coordination — no surprise hourly charges. A 75-person company can typically expect full managed IT coverage for a predictable monthly budget.

Does Boston Managed IT serve Newton, Cambridge, and other Greater Boston cities?

Yes. Boston Managed IT provides on-site and remote managed IT services throughout Greater Boston including Newton, Waltham, Cambridge, Brookline, Burlington, Needham, Wellesley, Natick, Framingham, and surrounding communities. Our team is based in Waltham, MA and provides same-day on-site support across the region.

What makes Boston Managed IT different from other MSPs in Boston?

Boston Managed IT is a locally owned MSP based in Waltham, MA, focused on companies with 50 to 150 employees across Greater Boston. We offer a dedicated client team, average response times under 15 minutes, transparent per-user pricing, and deep expertise in Microsoft 365, cybersecurity, and compliance. Our Google rating is 5.0 stars across 22 reviews.

May 9, 2026

Your Password Policy Is Probably Outdated. Here’s What NIST Recommends in 2026.

Cyber Security

< BACK TO BLOG

The Short Version

The National Institute of Standards and Technology (NIST) updated their digital identity guidelines in 2024, and the recommendations have shifted significantly from what most organizations currently enforce. Mandatory password expiration is out. Length requirements are more important than complexity rules. Password managers are officially recommended. And the focus has moved from making passwords hard to guess to making them hard to breach at scale. If your current password policy requires 90-day rotation, special characters in specific positions, and password hints — it’s time to update it.

Why Old Password Policies Made Things Worse

The password policies most organizations currently enforce were standardized in the early 2000s, based on assumptions that have since been disproven by behavioral research and breach data analysis. Specifically:

Mandatory rotation created predictable patterns: When employees are forced to change passwords every 90 days, they don’t create new random passwords — they increment them. Spring2024! becomes Summer2024! becomes Fall2024!. Attackers know this. Password spraying tools are configured to try these patterns. Forced rotation didn’t increase security; it created calendar-based predictability.

Complexity rules drove workarounds: Requirements for uppercase, lowercase, numbers, and special characters pushed users toward substitution patterns: P@ssw0rd, S3cur1ty!, C0mpany1!. These satisfy the technical requirements while being trivially crackable — they’re in every modern password cracking dictionary. The complexity rules optimized for rule compliance rather than actual entropy.

Complexity reduced memorability without increasing security: The security benefit of requiring ! in a password is minimal when the user compensates by making the rest of the password more predictable. A 16-character passphrase of random words is mathematically stronger than an 8-character complex password, while also being memorable.

Security padlock concept representing password protection — Modern password security is less about complexity rules and more about length, uniqueness, and breach monitoring.

What NIST SP 800-63B Actually Says

NIST Special Publication 800-63B (Digital Identity Guidelines: Authentication and Lifecycle Management) was updated most recently in 2024. The key guidance relevant to password policies:

Minimum length: 8 characters for user-created passwords (NIST’s absolute minimum — most security practitioners recommend 12-15 as an organizational minimum)
Maximum length: at least 64 characters — policies that cap passwords at 12 or 16 characters actively harm security by preventing passphrases
No mandatory rotation unless there is evidence of compromise — NIST explicitly recommends against periodic forced password changes
Check against known-breached password lists — organizations should maintain or subscribe to a compromised password database and reject passwords that appear in it
No complexity rules that restrict character types — allow all printable ASCII and Unicode characters, and don’t require specific character classes
No password hints and no knowledge-based authentication questions — these reduce security
No password expiration based on time — only require changes when compromise is suspected or confirmed

The Forced Rotation Myth

This point deserves expansion because it contradicts decades of conventional security wisdom. If attackers obtain your password database and crack the hashes, forcing users to change their passwords every 90 days means an attacker must crack the hash within 90 days to exploit it. In theory, this limits the window of exposure.

In practice, modern hash cracking is fast enough that a weak password can be cracked in minutes regardless of when it was set. The 90-day window provides no meaningful protection for weak passwords. And the behavioral response to frequent forced rotation (predictable incrementing patterns) creates vulnerabilities that offset any theoretical benefit.

NIST’s position: the documented harms of mandatory rotation outweigh the theoretical benefits. Change passwords when there is evidence of compromise — leaked credential databases, phishing incidents, or suspected unauthorized access. Not on a calendar schedule.

Password Length vs. Complexity

The most important shift in NIST’s updated guidance is the emphasis on length over complexity. This is not intuitive but is supported by the mathematics of entropy:

An 8-character password using uppercase, lowercase, digits, and symbols (roughly 95 characters of keyspace) has approximately 52 bits of entropy. A 16-character password using only lowercase letters (26 characters of keyspace) has approximately 75 bits of entropy. The longer, simpler password is mathematically stronger.

The policy implication: enforce a minimum length (12-15 characters for user accounts, 20+ for service accounts), allow any character including spaces, and stop requiring character class combinations. Encourage passphrases — three or four random common words strung together — as they’re both long and memorable.

MFA Changes Everything

The context for all password guidance is multi-factor authentication. NIST’s password guidance assumes MFA is in place — and for good reason. Even a weak password is dramatically harder to exploit when the attacker also needs a second factor.

For accounts protected by phishing-resistant MFA (FIDO2, hardware tokens, or passkeys), the password itself becomes less critical from an external attack perspective. The threat model shifts to insider threats and physical access scenarios. For accounts without MFA, password strength is carrying the entire authentication burden — which is why password policy matters less for MFA-protected accounts and more for legacy systems that can’t support MFA.

The current NIST recommendation hierarchy: phishing-resistant MFA (passkeys, FIDO2) is the gold standard. TOTP-based MFA (authenticator apps) is the acceptable baseline. SMS-based MFA is acceptable for most use cases but vulnerable to SIM-swapping. Password-only authentication should be eliminated wherever possible.

What Privileged Account Policies Look Like

NIST’s guidance applies to general user accounts. Privileged accounts — administrators, service accounts, system accounts, and shared credentials — require more stringent controls:

Minimum 20 characters, randomly generated, stored in a privileged access management (PAM) vault or enterprise password manager
Unique credentials per system — no shared passwords across servers, network devices, or applications
Automatic rotation via PAM tooling — unlike user accounts, service account passwords should rotate automatically after each use or on a short schedule (30-90 days maximum)
No human knowledge of credentials — ideally, no human knows the privileged password; it’s checked out from the vault and checked back in, with session recording
Just-in-time access — accounts are provisioned at time of need and deprovision automatically when the task is complete

Account Lockout: The Right Numbers

Account lockout policies balance two risks: locking out legitimate users (availability) and allowing brute force attacks (security). NIST’s updated guidance recommends a more nuanced approach than traditional lockout thresholds:

Rate limiting over hard lockout: Rather than locking accounts after 5 failed attempts, implement progressive delays between attempts. This prevents brute force without locking out users who mistype their password.

CAPTCHA after threshold: After 5–10 failed attempts, require CAPTCHA verification. This stops automated attacks without disabling the account.

Hard lockout with admin reset: If your system uses hard lockout, NIST recommends 10 failed attempts as a reasonable threshold — not 3 or 5. Modern brute force attacks don’t happen via the login form anyway; they operate on captured credential databases.

Monitor for credential stuffing: Credential stuffing attacks use known username/password combinations from breached databases and attempt them across many accounts at low frequency — specifically to avoid lockout thresholds. Detecting this requires monitoring login patterns across accounts, not just per-account failure counts.

Check Password Policy Generator — Free

Answer questions about your organization size, industry, and compliance requirements, and get a NIST SP 800-63B-aligned password policy document you can adopt or adapt. The generator covers user accounts, privileged accounts, service accounts, and MFA requirements.

Nicholas Salem is the CEO of Boston Managed IT, a managed services provider serving professional services firms and small businesses across Greater Boston. BMIT helps clients build and operate security programs that meet Massachusetts compliance requirements.

About the Author

Nicholas Salem

As the CEO of BMIT, a leading managed IT services company, Nick Salem is responsible for providing strategic leadership and direction to the organization. With over 15 years of experience in the IT industry, Nick has a strong track record of driving business growth and improving operational efficiency through the use of technology.

Your IT Partner Is Just a Click Away. Are you ready to stop thinking about IT?

We handle the infrastructure, helpdesk, and security — Boston businesses rely on us so they never have to think about IT again.

Book a consultation