Password Policy Generator
NIST-compliant password rules for your organization. Export as Markdown.
Click "Generate" to create your password policy...
NIST vs Legacy Password Policies
For decades, organizations enforced password policies based on outdated assumptions: mandatory complexity rules, forced 90-day rotation, and security questions. NIST SP 800-63B (2020 revision) overturned these practices based on empirical research:
| Practice | Legacy Policy | NIST SP 800-63B |
|---|---|---|
| Minimum length | 8 characters | 8 minimum, 12+ recommended |
| Maximum length | 16-20 characters | At least 64 characters |
| Complexity rules | Upper + lower + number + symbol | Not recommended |
| Forced rotation | Every 60-90 days | Only on evidence of compromise |
| Breach checking | Not considered | Required (screen against known breaches) |
| Password hints | Allowed | Prohibited |
| SMS for 2FA | Acceptable | Restricted (TOTP or FIDO2 preferred) |
Why Forced Password Rotation Is Outdated
Microsoft, NIST, and the UK's NCSC all recommend against forced password rotation. The evidence is clear:
- Predictable mutations: Users make minimal changes when forced to rotate. "Summer2024!" becomes "Fall2024!" — attackers know these patterns.
- Written-down passwords: Frequent changes lead users to write passwords on sticky notes or store them insecurely.
- Helpdesk costs: Password resets are the #1 helpdesk ticket at most organizations, accounting for 20-50% of all IT support calls.
- False sense of security: If an attacker has your password, they use it within hours — not after your 90-day rotation period.
The modern approach: use strong, unique passwords, enable MFA, and change passwords only when a breach is detected.
Compliance Requirements by Framework
- SOC 2 (Type II): Requires documented password policies and access controls under the Security Trust Services Criteria (CC6.1). Auditors typically accept NIST-aligned policies.
- ISO 27001: Annex A.9.4 requires formal authentication policies including password management. The standard is control-based, not prescriptive — NIST guidelines satisfy the requirements.
- HIPAA: The Security Rule requires unique user identification (164.312(d)) and emergency access procedures. It does not specify password length or complexity but requires a "reasonable and appropriate" policy.
- PCI DSS 4.0: Requires minimum 12-character passwords (or 8 with MFA), 90-day rotation for non-MFA accounts, and lockout after 10 failed attempts.
Implementing Breach-Checking
NIST requires screening passwords against lists of commonly-used and previously-breached passwords. The most practical implementation uses the Have I Been Pwned Passwords API with k-anonymity:
- Hash the user's password with SHA-1.
- Send only the first 5 characters of the hash to the API.
- The API returns all hash suffixes that match the prefix.
- Check if the full hash appears in the returned list.
This approach checks passwords against 900+ million breached credentials without ever transmitting the actual password or its full hash to any third party.
Frequently Asked Questions
What is NIST SP 800-63B?
NIST Special Publication 800-63B is the U.S. National Institute of Standards and Technology's guideline for digital identity authentication. Updated in 2020, it recommends: minimum 8-character passwords (12+ for higher assurance), no forced periodic rotation, screening against known-breached passwords, and no arbitrary complexity rules. These guidelines are widely considered the gold standard for password policy.
Why does NIST recommend against forced password rotation?
Research shows that forced rotation (e.g., change every 90 days) leads users to make minimal, predictable changes: "Password1" becomes "Password2". This actually decreases security while increasing helpdesk burden. NIST recommends changing passwords only when there is evidence of compromise.
Should I require special characters in passwords?
NIST SP 800-63B explicitly recommends against mandatory complexity rules (uppercase, lowercase, numbers, symbols). These rules frustrate users and lead to predictable patterns ("P@ssw0rd!"). Instead, enforce a minimum length of 12+ characters and screen against breached password lists. Length provides more entropy than complexity.
How do I check passwords against known breaches?
The most practical approach is the Have I Been Pwned Passwords API, which uses a k-anonymity model: you send only the first 5 characters of the SHA-1 hash, and the API returns all matching suffixes. This lets you check passwords without ever transmitting the full hash. The database contains over 900 million breached passwords.
What password policy do SOC 2 and ISO 27001 require?
SOC 2 (Trust Services Criteria) requires "unique identification and authentication" but does not specify exact password rules — it defers to industry standards like NIST. ISO 27001 (Annex A.9.4) requires a formal password policy with minimum length, complexity, and change requirements. Both frameworks accept NIST-aligned policies. HIPAA requires "a password that is unique to each user" but has no specific length requirements.