Skip to content

New NIST Password Guidelines

The National Institute of Standards and Technology (NIST) issued an update to its password guidelines in June 2017 titled Digital Identity Guidelines (SP 800-63-3). Many of the guidelines that previously existed in the industry as best practice with credentials have been replaced with simpler, more user-friendly approaches.

Examples of new guidelines in the Digital Identity Guidelines (SP 800-63-3):

  • Length of passwords between 8 – 64 characters are recommended.
  • Character types of nonstandard characters, such as emoticons, are allowed when possible.
  • Long passphrases are encouraged and should not match entries in the prohibited password dictionary
  • Password reset frequency should be primarily triggered on if the password is compromised or forgotten
  • Multifactor Authentication is encouraged in all but the least sensitive applications

Related Links and Additional Reading:

  1. NIST’s New Password Rule Book: Updated Guidelines Offer Benefits and Risk