How secure are your passwords? Check here to find out.

Password Guidelines for the  National Institute of Standards and Technology (NIST) 

According to the National Institute of Standards and Technology (NIST) special publication SP-800-63B, Authentication & Lifecycle Management, memorized secrets -- another term for "passwords" -- should meet these minimum requirements:

  • At least 8 characters in length but possibly up to 64 characters in length, with all ASCII and UNICODE characters and spaces available in the creation of these memorized passwords (or passphrases).      
  • Passwords which are chosen by the service provider upon enrollment or when requesting a new password must be at least 6 characters in length and generated using an approved random bit generator.     
  • Don't store password hints in any system that is accessible by non-authenticated users. 
  • All new passwords must be checked against lists of commonly used, expected, or compromised passwords. See How to Check Passwords below.
  • If an account is compromised, then force a change of the user's password. But don't force a change just because a few weeks have elapsed. 

There are other suggestions in this standard that should be considered as you establish your password policies, so a full review is highly recommended.

How to Check Passwords

Check all new and existing passwords against list commonly used, expected, or compromised passwords.  Any matches through this check should result in the password being rejected, the user notified why it was rejected, and a prompt to select a new password. is the tool TechStar recommends to check password.  IF IT'S BEEN PWNED DON'T USE IT!

Start a Chat