Password Complexity Standard


To define minimum password complexity requirements based upon assigned password policy


  1. Password construction attributes (Table 1) for each password policy level are selected to achieve the specified minimum entropy.
  2. Password composition rules require the inclusion of 3 of the 4 following character sets:
    lowercase letters, uppercase letters, numerals and special characters. Allowable special characters are ~ ! @ # $ % ^ & * ( ) _ + | – = \ { } [ ] : ” ; ‘ < > ? , . / and the space character. Passwords may not include words of more than 4 characters, as tested against a dictionary of at least 50,000 words.
  3. For all policy levels, the selection of a pass-phrase of at least 18 characters eliminates the password composition rules and dictionary check. Passphrases are subject to minimal tests to prevent use of common or trivial phrases.
  4. Authentication token devices may be offered for use with policy levels P3-P5. When authentication token devices are used in conjunction with a password, the password is not required to comply with password construction attributes or composition rules.
Minimum entropy bits30303031.531.5
Minimum length of password88899
Maximum age of password (in days)365365365180180
Password minimum age for reset (in
Password uniqueness/history (days)200200200200200
Failed attempts before lockout1010101010
Lockout duration (minutes)3030303030


SEC-­‐‑AC-­‐‑002.01: Authentication Management Standard
NIST Special Publication 800-­‐‑63 revision 1: Electronic Authentication Guideline

Effective Date:

July 15, 2013