NIST Password Guidelines (SP 800-63B)
Master the NIST SP 800-63B password requirements. Learn why NIST eliminated composition rules and mandatory rotation, and how to implement compliant password policies in modern applications.
Detailed Explanation
NIST SP 800-63B: Modern Password Standards
The National Institute of Standards and Technology published Special Publication 800-63B (Digital Identity Guidelines — Authentication and Lifecycle Management), fundamentally changing how organizations should handle passwords. Many of its recommendations contradict decades of conventional corporate password policy.
Key Requirements and Recommendations
1. Minimum Length: 8 Characters (15+ Recommended)
NIST requires user-chosen passwords (memorized secrets) to be at least 8 characters. For machine-generated passwords, there is no minimum because they are assumed to have sufficient entropy. NIST recommends supporting passwords of at least 64 characters to encourage passphrases.
2. No Composition Rules
NIST explicitly advises against requiring specific character types:
"Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types) for memorized secrets."
Research shows forced complexity leads to predictable patterns:
P@ssw0rd! ← Meets every rule, cracked in milliseconds
Summer2024! ← Meets every rule, in every dictionary
3. Check Against Breached Password Lists
Passwords SHALL be compared against known compromised values:
- Passwords from previous breach corpuses
- Dictionary words
- Repetitive or sequential characters (
aaaa,1234) - Context-specific words (username, service name)
This is the single most impactful recommendation — it blocks the passwords that attackers try first.
4. No Mandatory Periodic Rotation
NIST advises against time-based password expiration:
"Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)."
Forced rotation causes:
- Incremental changes (
Winter2024!→Spring2025!) - Written-down passwords
- Increased helpdesk costs
Passwords should be changed only when there is evidence of compromise.
5. No Password Hints or Knowledge-Based Questions
Security questions ("Mother's maiden name?") are easily researched through social media. NIST recommends eliminating them entirely.
6. Rate Limiting and Account Lockout
- Limit failed authentication attempts (e.g., maximum 100 within a period)
- Implement delays or CAPTCHAs after repeated failures
- Do not permanently lock accounts (allows denial-of-service)
Implementation Checklist
For developers building NIST-compliant authentication:
- Accept 8-64+ character passwords
- Allow all printable ASCII and Unicode characters
- Check against breach database (Have I Been Pwned API)
- Block common patterns and sequential characters
- Do not enforce composition rules
- Do not enforce periodic rotation
- Use Argon2id, bcrypt, or PBKDF2 for hashing
- Implement rate limiting on login attempts
- Support multi-factor authentication
How Strength Analyzers Align with NIST
A NIST-aligned password strength analyzer should:
- Not penalize passwords for missing character classes
- Heavily weight password length
- Flag passwords found in breach databases
- Detect common patterns, dictionary words, and sequences
- Score based on estimated guesses, not checkbox compliance
Use Case
NIST SP 800-63B is the baseline standard for US government agencies and is widely adopted by private organizations worldwide. Developers implementing authentication, compliance officers drafting security policies, and security auditors evaluating systems all reference these guidelines. A password strength analyzer aligned with NIST provides the most meaningful assessment of password quality.