The NIST guidelines for password policies are available in NIST Special Publication 800-63B "Digital Identity Guidelines: Authentication and Lifecycle Management". This document is updated regularly as the recommendations evolve. In the 03-02-2020 update, guidelines for passwords, or memorized secrets, have been greatly simplified and are summarized later in this section. Always refer to the NIST document for the latest information.
NIST guidelines for passwords:
- Passwords should be at least 8 characters long.
- Besides length, no other complexity requirements, such as a minimum number of upper case, lower case, numeric, or special characters, should be imposed.
- No periodic password changes should be imposed. A password change should only be forced when there is evidence of compromise.
NIST no longer recommends enforcing complex passwords. Users often respond to composition rules in predictable ways, eliminating their benefit. Besides length, composition rules negatively impact usability while providing little or no improvement to password strength.
Comments