Summary of NIST Recommendations for Passwords

Recommendations for memorized Secrets

Recommendations for Users

Dos

  • The password should have at least 8 characters (the longer, the better)

Don'ts

  • Do not impose complexity requirements
  • Do not impose a maximum password length (permit at least up to 64 characters)
  • Do not impose periodical password changes

Recommendations for Password Verifiers

  • allow all printing ASCII characters
  • do not truncate the secret
  • do not provide/allow password hints
  • reject prospective secrets that ...
    • were used in previous breaches
    • contain dictionary words
    • contain repetitive or sequential patterns
    • contain context-specific words like user name, service name etc.
  • provide a password strength meter
  • provide login rate limiting
  • allow password paste (encourage password managers)
  • offer an option to display the password being typed in (encourage long passwords)
  • secrets must be stored salted (salt>32bits) and hashed (SHA-3, HMAC, CMAC, ...)
  • In addition, an additional salt/hash operation should be performed with a secret salt

References