Devii · Backend · 2026-04-20 · 7 min read
NIST Password Guidance: Length, Breach Checks, And What Changed
Summarizing NIST SP 800-63B memorized secret requirements without folklore rules.
NIST Special Publication **800-63B** (Digital Identity Guidelines, Authentication and Lifecycle Management) defines requirements for federal systems and influences industry practice. For **memorized secrets** (passwords), modern guidance emphasizes length over forced rotation, and checking against breached password corpora.
NIST de-emphasizes arbitrary composition rules (mandatory symbols) that produce predictable human patterns. Multi-factor authentication raises assurance for sensitive accounts. Read the current revision on `pages.nist.gov` because SP 800-63 receives updates.
Implementation notes: hash with Argon2id, scrypt, or bcrypt with per-user salt; never store plaintext. Rate-limit online guessing. Use established libraries, not custom crypto.
This article summarizes public NIST text; compliance programs may impose additional controls beyond memorized secrets alone.