If you're still telling users to include "at least one uppercase letter, one number, and one special character," you're following outdated advice. The National Institute of Standards and Technology (NIST) updated their password guidance significantly in 2024, and the changes are worth knowing — especially if you build or maintain authentication systems.
What Is NIST SP 800-63B?
NIST Special Publication 800-63B is the US federal standard for digital identity and authentication. It's not just for government systems — it's widely cited as the gold standard for password policy in private industry. The fourth revision (800-63B-4) was published in 2024, building on the landmark 2017 update that first reversed decades of conventional wisdom about passwords.
The 2024 Updates: What Changed
Minimum length raised to 15 characters
The 2017 guidance set the minimum at 8 characters. The 2024 revision raises this to 15 characters for user-chosen passwords. The maximum must be at least 64 characters — and verifiers must not truncate passwords beyond this length.
All Unicode is now allowed
Passwords must support all printable Unicode characters, including spaces and emoji. A password like correct horse battery staple (with spaces) is valid and encouraged. This matters for internationalization — non-English users often use characters from their own language in memorable passphrases.
Mandatory breach checking
New passwords must be checked against known-compromised lists. The HaveIBeenPwned API provides a free, privacy-preserving k-anonymity endpoint for this. If a user submits a password found in a breach dataset, reject it with a clear message — not a generic "password is too weak" error.
SMS OTP is downgraded
SMS-based one-time passwords are no longer considered acceptable for high-assurance applications. SMS is vulnerable to SIM-swapping attacks and SS7 protocol weaknesses. NIST now recommends authenticator apps (TOTP) or passkeys instead.
Periodic rotation is explicitly banned
This deserves emphasis: do not force users to change passwords on a schedule. The research is clear — forced rotation leads to predictable changes (Password1 → Password2 → Password3) and makes security worse. Only require a password change if there's evidence of compromise.
What NIST Says to Stop Doing
These practices are explicitly discouraged in 800-63B:
- Complexity rules: Requiring uppercase + lowercase + number + symbol. These push users toward predictable substitutions (P@ssw0rd) rather than genuinely random passwords.
- Password hints: Storing hints that make guessing easier.
- Knowledge-based authentication: Security questions ("What was the name of your first pet?") are banned for high-assurance applications.
- Truncating passwords: Never silently truncate a password that meets the maximum length. This is a security vulnerability.
- Password expiration timers: Without evidence of compromise, rotating passwords reduces security.
What Good Password Policy Looks Like in 2024
If you're building an auth system or updating your password policy, here's the NIST-aligned checklist:
- Accept passwords 15–64+ characters (set your DB column to 255 to be safe)
- Accept all printable characters including spaces — don't strip or reject Unicode
- Hash with bcrypt, Argon2, or scrypt — never MD5, SHA-1, or unsalted SHA-256
- Check against breach databases at registration and optionally on login
- No complexity rules — length is the only mandatory requirement
- No periodic expiration — only reset on confirmed breach
- Rate-limit login attempts — throttle or lockout after repeated failures
- Offer MFA — TOTP or passkeys, not SMS
A Note on Entropy
The reason NIST focuses on length rather than complexity is entropy. Password strength is measured in bits of entropy — how many guesses would it take to crack it.
- 8-character all-lowercase: ~38 bits
- 8-character with complexity rules: ~52 bits (strong for a 2005 attack, weak today)
- 16-character random (mixed): ~105 bits
- 20-character random (mixed): ~131 bits — exceeds AES-128 security level
A random 16-character password generated by a cryptographically secure generator is practically uncrackable by brute force. The real risks are phishing, credential stuffing, and insecure storage — not brute force.
For generating properly random passwords, use this free password generator — it uses window.crypto.getRandomValues() (the same CSPRNG your browser uses for HTTPS) and runs entirely in your browser. No data is ever sent to a server.
How to Check If a Password Has Been Breached
The HaveIBeenPwned API uses k-anonymity: you send only the first 5 characters of the SHA-1 hash of the password, and the API returns all matching hash suffixes. Your server (or client) checks if the full hash appears in the list. The password itself never leaves the user's device.
import hashlib
import urllib.request
def is_pwned(password: str) -> int:
sha1 = hashlib.sha1(password.encode()).hexdigest().upper()
prefix, suffix = sha1[:5], sha1[5:]
url = f"https://api.pwnedpasswords.com/range/{prefix}"
response = urllib.request.urlopen(url).read().decode()
for line in response.splitlines():
hash_suffix, count = line.split(":")
if hash_suffix == suffix:
return int(count)
return 0
count = is_pwned("password123")
print(f"Found in {count} breaches" if count else "Not found in known breaches")
Run this check at password creation and optionally on login. If the count is > 0, reject the password with a message like: "This password appeared in a known data breach. Please choose a different one."
Summary
NIST's 2024 guidance in three sentences: Use long random passwords. Stop adding friction that doesn't improve security. Check passwords against known breach databases.
For most developers, the key action item is to stop enforcing complexity rules that frustrate users without improving security, and to add HaveIBeenPwned integration to your registration flow.
Need to generate strong random passwords for testing, provisioning, or personal use? SnappyTools Password Generator runs entirely in your browser with no server calls — 8 to 128 characters, customisable character sets, and up to 10 passwords at once.
Top comments (0)