The Most Essential NIST 800-63b Password Guidelines 

Written by Brenna Lee and Ashley Gwilliam on March 28, 2023

Share This Article

The National Institute of Standards and Technology (NIST) has long been an authority figure for best practices on how to secure identities, passwords, and more. 

One of their commonly used protocols is the NIST 800-63b Digital Identity Guidelines. The guidelines focus on authentication and password lifecycle management.

Keeping up with a revolving door of cybersecurity standards and guidelines is a challenging, yet necessary aspect of IT management. The good news? NIST hasn’t made significant changes since publishing its original guidelines in 2017.

Keep reading to review NIST’s latest 800-63b Digital Identity Guidelines with a focus on password management:

NIST 800-63b Password Guidelines and Best Practices

Businessman logging on to a password protected website. There are login and password fields and a sign in button. There is also a shield and lock graphic

Below is a brief summary of password best practices and current NIST password guidelines. It’s worth emphasizing these are just some of the guidelines, but the NIST Digital Identity Guidelines are extensive. Read more details on the NIST website.

Note: Passwords are referred to as “memorized secrets” in NIST documentation.

Prioritize Password Length Over Complexity

Complex passwords that include a combination of upper/lower case letters, numbers, and characters are obviously harder to crack than something like “1234.”

But NIST cautions against the use of complex passwords. Why? Their research has shown users are likely to a) choose predictable combinations and b) forget especially complex passwords. For these reasons, the organization recommends using long passwords or passphrases from 8 to 64 characters in length. 

With that said, using complex passwords in combination with a tool like JumpCloud’s Password Manager solves both of the aforementioned issues. The software allows users to quickly create strong, unique passwords that are securely stored locally on devices via a decentralized architecture. 

Password management tools also curb password reuse across personal and work accounts — a bad practice 65% of workers said they engage in, according to a recent JumpCloud survey. 

Block Obvious Passwords

As much as we think of ourselves as unique human beings (and we are), most of us aren’t so original when it comes to passphrases. It’s ridiculously common for end users to incorporate consecutive or incremental characters in their passwords.

Think 1234, abcd, or bbbb. End users often use these add-ons when prompted to change their passwords because of an expiration policy. Outlaw such simplistic sequences to thwart the temptation to more or less keep the old password come notification time. 

In addition, prevent users from choosing passwords included in your self-made password dictionary. Hackers commonly attempt password combinations that utilize industry lingo. An easy way to reduce risk is to draft a dictionary of outlawed passwords using such terms. 

Easy Password concept.  My password 123456 written on a paper with marker.

Limit Failed Password Attempts

One of the most common causes of successful brute force attacks is not restricting failed password attempts. It’s not uncommon for federal agencies to lock out users after three to five login attempts. With that said, NIST is pretty generous with their recommendation of no more than 100 login attempts. 

Obviously, this precaution increases the difficulty for cyberattackers attempting break-ins. 

Unfortunately, offline attacks don’t prevent attackers from attempting millions of combinations without limitations, and stealing files and database information. This possibility could be seen as a pro for switching completely to the cloud, but we digress. 

Use Two-Factor Authentication (2FA)

OK, this one isn’t an NIST password guideline, but it is a best practice within the IT community. Two-factor authentication is a type of account verification process that requires users to provide a second factor that proves their login credentials. 

This second factor should be something a malicious actor can’t easily replicate, like a personal security question or a code sent to a device only the account holder can access. One of the cool things about 2FA is that should a password breach occur, unleashing login credentials into the wild, the fortress will remain protected. 

You can use a tool like the JumpCloud Directory platform to streamline 2FA. The software makes it easy to set up push-based, time-based one-time passwords (TOTP), and more. 

More NIST 800-63 Password Guideline Tips

  • Support all ASCII characters (including space).
  • Accept unicode characters.
  • Do not truncate passwords during processing. 
  • Generate passwords using an approved random bit generator when allowing a credential service provider (CSP) or verifier to randomly choose the phrases. 
  • Use an approved bit generator to approve passwords randomly chosen by a CSP or verifier.
  • Provide end users with password-strength meters (not necessary when using a password manager).
  • Permit the “paste” functionality when entering a password. This prevents users from choosing weaker passwords to avoid inputting complex ones twice. 
  • Don’t enforce composition requirements. 
  • Don’t enforce password expiration periods.
  • Don’t give password hints. 
  • Don’t use knowledge-based authentication (e.g., who was your best friend in high school?).

As you may have realized, many of these guidelines challenge traditional password security practices. However, NIST suggests that guidelines like increased complexity and frequent password changes, for example, lead to poor password behavior in the long run. 

The programmer is logging in and encrypting it for security. with cybersecurity technology, website design and social security cyber concept

The argument is that people can only remember so much and will resort to insecurely storing complex passwords (e.g., a sticky note on the computer monitor) or by meeting requirements in a predictable way (e.g., Password1!). 

Again, NIST 800-63 password guidelines work to combat this behavior by essentially proposing the use of one long, simple password that should only be changed when it is compromised. Alternatively, organizations can utilize a tool like JumpCloud’s Password Manager that allows network users to generate strong passwords, autofill passwords, and store secrets locally. 


The IT Manager’s Guide to Data Compliance Hygiene

How to ace your audit

Who Needs to Comply with NIST 800-63b?

While many IT organizations use NIST guidelines to inform their security practices, only federal agencies are required to comply with NIST 800-63b. With that said, the recommendations can benefit all types of environments. 

It’s worth mentioning that these guidelines haven’t assimilated with other compliance regulations yet. So, make sure to cross-reference NIST’s suggestions with compliance requirements.

The best way for IT organizations to support NIST’s guidance, or any compliance regulation for that matter, is with their core identity provider (IdP). The IdP should control access to systems, applications, file storage, and networks regardless of protocol, platform, provider, and location. 

Then, when password guidelines are set in the core IdP, virtually all of the IT resources that authenticate against the identity provider will be compliant. An IdP with a password manager component makes compliance and password management even easier for IT administrators and end users.

Secure Passwords with JumpCloud

No doubt about it — password best practices are an essential component of identity and access management. More than 180,000 organizations worldwide use JumpCloud to centrally manage their systems, apps, and devices. 

Our built-in multi-factor authentication (MFA), Password Manager, and single sign-on (SSO) makes it easier to follow compliance and security regulations. IT admins have complete freedom to determine the character length, complexity, and expiration of passwords in their environment, enabling them to follow NIST’s password guidance to the fullest. 

Those following stringent regulations like HIPAA, PCI, or GDPR, can also enjoy JumpCloud. Once password requirements are determined, they automatically propagate to all of the IT resources that are tied to JumpCloud.

Looking to beef up security and get a handle on data compliance? 

Click here to visit the IT Compliance Quickstart Guide

Brenna Lee

Brenna is a Content Writer at JumpCloud that loves learning about and immersing herself in new technologies. Outside of the [remote] office, she loves traveling and exploring the outdoors!

Ashley Gwilliam

Ashley Gwilliam is a Content Writer for JumpCloud. After graduating with a degree in print-journalism, Ashley’s storytelling skills took her from on-camera acting to interviewing NBA basketball players to ghostwriting for CEOs. Today she writes about tech, startups, and remote work. In her analog life, she is on a quest to find the world's best tacos.

Continue Learning with our Newsletter