The National Institute of Standards and Technology (NIST) was founded in 1901 and is part of the U.S. Department of Commerce and is one of America’s oldest physical science laboratories. 

NIST produces  a wide range of measurements and standards, many of which are used world-wide and contribute to many advanced technologies, materials and fabrication.

NIST also produces guidelines for the system developers who create APPS needing passwords and tells them what checks should be made and what restrictions to apply.

The latest guidance on passwords is DRAFT NIST Special Publication 800-63B Digital Identity Guidelines




 It says that passwords should be

·         chosen by and memorable for the user.

·         of sufficient complexity and secrecy that it would be impractical for an attacker to guess or otherwise discover them.

·         at least 8 characters in length (unless allocated by the system in which case they should be at least 6 characters)

Setting a New Password

Passwords shall be at least 8 characters in length if chosen by the user; Passwords chosen randomly by the system should be at least 6 characters in length and may be entirely numeric.  In the last few years, most websites have insisted that new passwords capital letters and numbers, but this new guidance says that’s unnecessary. 

Any requested password should be checked against a list of commonly-used values. These may include (but is not limited to):-

·         Dictionary words

·         Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)

·         Context specific words, such as the name of the service, the username, and derivatives thereof.

If the chosen password is found in the list, then the user should be told the reason for rejection and have to submit a new password value.


There should be a maximum number of times a user can try to input a new password, and then the user should be blocked temporarily. 

Password Verification

Passwords to be up to 64 characters or more in length. All printing ASCII  characters as well as the space character should be acceptable as well as Unicode characters.

For some years, it became common for systems to require a password be changed every 6 or 12 months and that advice was given out many times, but this has changed. It is now recommended that systems do not require password changes. Users can choose to change their passwords whenever they wish.

Password ‘hints’ should not be used.

To assist the user in setting a password, there can be an option to show the password as it is entered, until completed.  There can also be an option to show each character for a few seconds or until the next character is entered.

The system should use approved encryption and should utilize an authenticated protected channel when requesting Passwords in order to provide resistance to eavesdropping and MitM attacks.

These new guidelines should make designing and implementing password verification simpler and also easier for the user as there are fewer rules to follow.