Devii · Backend · 2026-04-20 · 7 min read

Share

NIST Password Guidance: Length, Breach Checks, And What Changed

Summarizing NIST SP 800-63B memorized secret requirements without folklore rules.

NIST Special Publication **800-63B** (Digital Identity Guidelines, Authentication and Lifecycle Management) defines requirements for federal systems and influences industry practice. For **memorized secrets** (passwords), modern guidance emphasizes length over forced rotation, and checking against breached password corpora.

NIST de-emphasizes arbitrary composition rules (mandatory symbols) that produce predictable human patterns. Multi-factor authentication raises assurance for sensitive accounts. Read the current revision on `pages.nist.gov` because SP 800-63 receives updates.

Identity and access workshop
Identity and access workshop

Implementation notes: hash with Argon2id, scrypt, or bcrypt with per-user salt; never store plaintext. Rate-limit online guessing. Use established libraries, not custom crypto.

This article summarizes public NIST text; compliance programs may impose additional controls beyond memorized secrets alone.