Password Policy Checker
NIST Password Guidelines (SP 800-63B)
✓What Organizations SHOULD Do
- •Minimum Length: Require at least 8 characters for user-chosen passwords, 6 for machine-generated
- •Maximum Length: Allow at least 64 characters
- •All Characters: Accept all printable ASCII characters, including spaces
- •Unicode: Support Unicode characters (emojis, international characters)
- •Breach Checking: Compare passwords against lists of commonly used, expected, or compromised passwords
- •Rate Limiting: Limit failed authentication attempts (to prevent brute force)
- •Show Password Option: Offer option to display the password while typing
- •Password Managers: Allow paste functionality (don't block password managers)
✗What Organizations SHOULD NOT Do
- •Composition Rules: Don't impose arbitrary complexity requirements (e.g., "must include uppercase, number, and special character")
- •Password Expiration: Don't require periodic password changes without evidence of compromise
- •Password Hints: Don't use knowledge-based authentication (e.g., "What is your mother's maiden name?")
- •SMS 2FA: Don't use SMS as two-factor authentication (use authenticator apps or hardware tokens instead)
- •Truncation: Don't silently truncate passwords
Key Principles
A longer password (e.g., "correct horse battery staple") is generally more secure than a shorter complex one (e.g., "P@ssw0rd!").
Complex rules frustrate users and often lead to predictable patterns (e.g., "Password1!", "Password2!").
Check passwords against breach databases rather than forcing arbitrary complexity.
MFA is more effective than complex password requirements for security.
Password Security Tips
- ✓Use a password manager to generate and store unique passwords
- ✓Create passphrases with 4-5 random words (e.g., "correct-horse-battery-staple")
- ✓Never reuse passwords across different sites
- ✓Enable two-factor authentication (2FA) whenever available
- ✓Avoid personal information (names, birthdays, addresses)
- ✓Change passwords immediately if a service reports a breach
Need Professional IT Services?
Our IT professionals can help optimize your infrastructure and improve your operations.
References & Citations
- National Institute of Standards and Technology (NIST). (2024). Digital Identity Guidelines - Authentication and Lifecycle Management. Retrieved from https://pages.nist.gov/800-63-3/sp800-63b.html (accessed January 2025)
- Troy Hunt. (2024). Pwned Passwords. Have I Been Pwned. Retrieved from https://haveibeenpwned.com/Passwords (accessed January 2025)
- Wikipedia. (2024). Password strength. Retrieved from https://en.wikipedia.org/wiki/Password_strength (accessed January 2025)
Note: These citations are provided for informational and educational purposes. Always verify information with the original sources and consult with qualified professionals for specific advice related to your situation.
Key Security Terms
Understand the essential concepts behind this tool
Brute Force Attack
A trial-and-error method of guessing passwords, encryption keys, or credentials by systematically trying all possibilities.
Multi-Factor Authentication (MFA)
An authentication method that requires users to provide two or more verification factors to gain access.
Frequently Asked Questions
Common questions about the Password Strength Checker
Strong passwords have: 16+ characters (longer = stronger), mix of uppercase, lowercase, numbers, symbols, no dictionary words or personal info, no patterns (123, abc), unique per account. Example: "Tr0pic@l-Sunset#47$Moon". Use passphrases: "Coffee!Mountain$River29". Entropy >60 bits ideal. Avoid: password123, qwerty, 12345678. Use password manager to generate and store unique passwords for every account.