NIST SP 800-63B Password Guidelines
Understand the NIST SP 800-63B password guidelines. Learn about minimum length requirements, banned password lists, and why NIST recommends against forced complexity rules and periodic rotation.
Detailed Explanation
NIST SP 800-63B Password Requirements
The National Institute of Standards and Technology (NIST) published Special Publication 800-63B (Digital Identity Guidelines), which fundamentally changed password best practices. Many of its recommendations contradict traditional corporate password policies.
Key NIST Recommendations
1. Minimum Length: 8 Characters (15+ Preferred)
NIST requires a minimum of 8 characters for user-chosen passwords and recommends supporting passwords up to at least 64 characters. For generated passwords or passphrases, NIST encourages much longer strings.
2. No Composition Rules
NIST explicitly recommends against requiring specific character types (uppercase, lowercase, digit, symbol). Research shows that forced complexity leads to predictable patterns:
Password1! <- meets complexity rules but is weak
Tr0ub4dor&3 <- meets rules but follows a pattern
Instead, NIST favors length over complexity as the primary strength indicator.
3. Check Against Breached Password Lists
Passwords should be checked against databases of known compromised passwords:
- Passwords exposed in data breaches
- Dictionary words
- Repetitive or sequential characters (
aaaa,1234) - Context-specific words (username, service name)
4. No Mandatory Periodic Rotation
NIST recommends against forcing users to change passwords on a schedule (every 30/60/90 days). Forced rotation leads to predictable incremental changes:
Summer2024! -> Fall2024! -> Winter2025!
Passwords should only be changed when there is evidence of compromise.
5. No Password Hints or Knowledge-Based Questions
Security questions ("What is your mother's maiden name?") are easily researched through social media. NIST recommends eliminating them entirely.
Implementing NIST Guidelines
When generating passwords that comply with NIST recommendations:
- Set length to 15+ characters for maximum security
- Use a CSPRNG for randomness
- Verify generated passwords against breach databases (e.g., Have I Been Pwned API)
- Store passwords using a modern hash function (Argon2id, bcrypt, or scrypt)
Use Case
NIST guidelines are the gold standard for US government agencies and are widely adopted by private organizations. Developers building authentication systems, security auditors assessing password policies, and IT administrators configuring Active Directory or LDAP policies should follow NIST SP 800-63B as the baseline for modern password requirements.