Review of NIST SP 800-63 Memorized Secrets Guidelines

Review of NIST SP 800-63 Memorized Secrets Guidelines

NIST regulations for memorized secrets can be an important part of an IT organization’s goal to comply with federal guidelines. Many organizations are required by law to comply and many others leverage NIST’s guidance for strong security hygiene. Whatever your purview, this blog post is intended as a review of NIST SP 800-63’s guidance for memorized secrets.

What are NIST SP 800-63 Memorized Secrets?

NIST has introduced more modern password policies in its Digital Identity Guidelines with the SP 800-63 series of documents. Contained within the guidelines are their recommendations for memorized secrets or passwords (Section 5.1.1). There has been much debate in the IT security community about how passwords should be handled.

Some argue that password length is more critical, while others have argued that adding complexity to the password is a sound approach.

Complex Passwords or Longer Passwords?

While NIST does not completely settle the differing viewpoints, their recommendations steer IT organizations to leverage longer passwords without the need for complexity. Interestingly, NIST does not only rely on absolute numerical evidence – for example, how difficult a password will be to hack – but also leverages the fact that more complex passwords can be harder for users to remember.  Because they are harder to remember, users end up writing them down or making them easier to remember. This ends up decreasing the security value complex passwords were supposed to have to begin with.

NIST SP 800-63 Password Recommendations

A review of NIST’s SP 800-63B guidance on password generation either by a person or system is located below:

  • 8 character minimum when a human sets it
  • 6 character minimum when set by a system/service
  • Support at least 64 chars maximum length
  • All ASCII chars (including space) should be supported
  • Truncation of the secret shall not be performed when processed
  • Check chosen password with known password dictionaries
  • Allow at least 10 password attempts before lockout
  • No complexity requirements
  • No password expiration period
  • No password hints
  • No knowledge-based authentication (e.g. who was your best friend in high school?)
  • No SMS for 2FA (use a OTP like Google (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog – JumpCloud authored by Natalie Bluhm. Read the original post at:

Natalie Bluhm

Natalie is a writer for JumpCloud, an Identity and Access Management solution designed for the cloud era. Natalie graduated with a degree in professional and technical writing, and she loves learning about cloud infrastructure, identity security, and IT protocols.

natalie-bluhm has 147 posts and counting.See all posts by natalie-bluhm