NIST password compliance guidelines – What they are and how you can meet them

The new password guidelines from National Institute of Standards and Technology (NIST) are changing how companies and organizations view password security. The guidelines say: Do allow for longer passwords and choosing original secret questions, Don’t allow users to choose a password from a compromised list, or force password expiration without cause. These changes aim to increase password security and improve the end user experience.

In the comprehensive Digital Identity Guidelines, from NIST, password security is addressed within the chapter titled Memorized Secret Verifiers. A memorized secret verifier is any system that needs to check the validity of a password or PIN. In most organizations, that means Active Directory and supporting business systems.


When it comes to password length, NIST requires that passwords are at least 8 characters long and recommends that passwords can be as long as 64 characters. Longer passwords offer better protection from various password attacks.

Specops recommendation: 

Allowing users to choose passphrases helps create longer passwords that are still easy for end users to create and use.

Dictionary lists

NIST requires federal organizations to check passwords against a list of commonly used or compromised passwords. Potential lists include passwords obtained from a previous breach, dictionary words, repetitive characters and context-specific words such as usernames. Blocking dictionary lists can help keep out the most vulnerable passwords – whether these are on a leaked password list or a list of weak passwords.

Specops recommendation: 

The easiest way to check user passwords against a leaked list is with a breached password protection service. During a password change in Active Directory, Specops Password Policy will reject passwords found in the breached password list. The list is also updated in response to new vulnerabilities.

Composition requirements

NIST discourages composition requirements such as a mixture of character types, when setting passwords. While this is not prohibited, the NIST recommendation is to avoid password complexity rules and instead check users’ passwords against known dictionary lists.

Specops recommendation:

Finally, the tide is turning away from short complex passwords to longer passphrases, which offer better protection from attacks and a better user experience. However, some other regulatory bodies still require complexity rules, such as PCI.

Password Expiration

NIST discourages regular password expiration (memorized secrets changing arbitrarily) but requires forcing a password change if there is evidence that the authenticator has been compromised. This is because regular password expirations and changes create poor password habits where users tend to fall into the same patterns for creating a new password.

Specops recommendation: 

Blocking dictionary lists is great when a user is setting a password for the first time, but what happens if that same password turns up on a leaked list one month later? We recommend continuing to use password expiration as a way to check passwords against dictionary lists when a new major leak occurs and a list is added.

Secret questions

NIST prohibits the use of predefined secret questions (security or challenge questions) when verifying a user for password creation and reset. Your mother’s maiden name, your first pet and the name of your high school are all susceptible to social engineering.

Specops recommendation: 

Secret questions can be social engineered easily and many users forget the answers to less common questions. We believe in more secure ways to identify users  such as authenticating them on popular authentication apps from Google and Microsoft, or fingerprint scanning on a mobile phone.

NIST updated their Digital Identity Guidelines in June 2017 to follow the latest best practices in identity proofing and authentication of users interacting with government IT systems, but many non-federal organizations also choose to follow the guidelines.

NIST terminology

Claimant – the party being authenticated

Verifiers – the party verifying the claimant

Memorized secret – password and PIN, something you know

Knowledge-based verification – secret or security questions

(Last updated on October 30, 2023)


Back to Blog

Related Articles

  • GDPR compliance and access control – what you should already be doing

    With less than a year until the EU General Data Protection Regulation (GDPR) takes effect, all organizations collecting or processing data for individuals within the EU are in the midst of developing their compliance strategy. The new regulation will carry an impact well beyond Europe. A recent PwC pulse survey found that over half of…

    Read More
  • 3 steps to take after a security breach

    For a long time now, Specops has been advising organizations on how to protect their network and data against common security threats. We’ve managed to cover everything from sophisticated social engineering tactics, to the simple phishing email. Along the way, we’ve repeated the importance of a strong password/passphrase, or better yet, additional layers via multi-factor…

    Read More