NIST 800-63 Password Guidelines – Updated

Written by Natalie Bluhm on March 27, 2019

Share This Article

The National Institute of Standards and Technology (NIST) has long been an authority figure for best practices on how to secure identities, passwords, and more. Recently, NIST Special Publication 800-63 guidelines for 2019 were released, and many IT admins are interested in learning what they are. The good news is there haven’t been too many changes from when the NIST 800-63 password guidelines were originally published in 2017. Let’s take a look at what NIST suggests.

What You Need to Know About NIST 800-63 Password Guidelines

A Brief Summary

Also referred to as memorized secrets, here is a brief summary of 2019 NIST password guidelines:

  • 8 character minimum when a human sets it
  • 6 character minimum when set by a system/service
  • Support at least 64 characters maximum length
  • All ASCII characters (including space) should be supported
  • Truncation of the secret (password) shall not be performed when processed
  • Check chosen password with known password dictionaries
  • Allow at least 10 password attempts before lockout
  • No complexity requirements
  • No password expiration period
  • No password hints
  • No knowledge-based authentication (e.g. who was your best friend in high school?)
  • No SMS for 2FA (use a one-time password from an app like Google Authenticator)

Many of these new guidelines challenge traditional password security practices. For example, the idea of not requiring password complexity is radically different than what has been conveyed in the past. However, NIST suggests that guidelines like increased complexity and frequent password changes, for example, lead to poor password behavior in the long run. Because people can only remember so much, employees often cope with frequently changed, complex passwords by storing them in an insecure manner (e.g. a sticky note on a computer monitor) and by meeting the requirements in a very predictable way (e.g. Password1!). NIST 800-63 password guidelines work to combat this behavior by essentially proposing the use of one long simple password that should only be changed when it is compromised. You can read more about their reasoning behind their recommendations here.

Illustration of a person using a large screen

Enforce Password Requirements Remotely

Meet NIST standards across your organization — even with users working from home.

Who Needs to Comply with NIST 800-63?

While many IT organizations use NIST guidelines to inform their security practices, only federal agencies are required to comply with NIST 800-63. Still, that doesn’t mean you shouldn’t seriously consider NIST’s recommendations and how they could benefit your environment. Just remember that these guidelines haven’t made their way into other compliance regulations yet, so make sure to cross-reference NIST’s suggestions with your current compliance requirements.

How to Support NIST Password Guidelines

The best way for IT organizations to support NIST’s guidance, or any compliance regulation for that matter, is with their core identity provider (IdP). Their IdP should control access to systems, applications, file storage, and networks regardless of protocol, platform, provider, and location. Then, when they set password guidelines in the core IdP, virtually all of their IT resources that authenticate against the identity provider will be compliant. If such an identity management solution sounds intriguing, take a look at the JumpCloud Directory Platform.

Secure Memorized Secrets with JumpCloud

JumpCloud is a core part of tens of thousands of IT organizations’ networks. JumpCloud takes a multi-protocol, vendor-independent approach that enables IT admins to centrally manage all of their systems, apps, file storage, and networks. With two-factor authentication and password complexity functionality to boot, it’s easy for IT admins to support NIST 800-63 guidelines and other compliance regulations from a single pane of glass.

IT admins have complete freedom to determine the character length, complexity, and expiration of passwords in their environment, enabling them to follow NIST’s password guidance to the fullest. For those who need to meet more stringent password requirements for regulations like HIPAA, PCI, or GDPR, organizations have the freedom to meet those as well with the same solution. Once password requirements are determined, they automatically propagate to all of the IT resources that are tied to the identity provider.

For 2FA guidelines, IT admins can enforce 2FA on Mac® and Linux® systems, on the Admin Console, and on applications by requiring 2FA on the User Portal. Our two-factor authentication solution only works with one time passwords generated from an authenticator app like Google Authenticator, Duo Mobile, and FreeOTP; JumpCloud MFA doesn’t permit one time passwords delivered via SMS. As a result, you can easily follow NIST’s guidance in this as well.

So, whether you are looking to follow NIST or needing to comply with industry regulations, a comprehensive IdP can provide you with the necessary centralization, control, and security you need to meet your goals.

Find Out More About JumpCloud

For more information on how JumpCloud supports NIST 800-63 password guidelines, drop us a note. One of our product experts will gladly walk you through how our cloud directory platform can support your compliance requirements. Ready to see the platform in action? You are more than welcome to start testing by signing up for a JumpCloud Free account. You don’t need to reach for a credit card; the entire platform is available; and your first 10 users and 10 devices are free. Watch the video above to learn how to get started.

Natalie Bluhm

Natalie is a writer for JumpCloud, an Identity and Access Management solution designed for the cloud era. Natalie graduated with a degree in professional and technical writing, and she loves learning about cloud infrastructure, identity security, and IT protocols.

Continue Learning with our Newsletter