spec checked
NIST SP 800-63B Passwords
Documents passwords as memorized secrets, minimum and maximum length expectations, acceptance of spaces and printable characters, no composition rules, blocklist checks for creation, rate limiting, password-manager and autofill support, paste support, display option, protected channels, and salted password hashing.
Pattern Decisions This Source Supports
| Pattern | Supported decision | Required contract | Claim note |
|---|---|---|---|
| Password creation | Choose password creation when the user must choose or replace a reusable password, passphrase, or memorized secret. | Typing, paste, autofill, password-manager generation, deletion, and selection follow native input behavior. | NIST supports blocklist rejection, length requirements, no composition rules, printable and Unicode characters, password-manager and paste support, display option, protected channels, and salted hashing. |
| Password input | Choose password input when the value is a password, passphrase, PIN-like memorized secret, current password, reauthentication secret, or credential confirmation value. | Typing, paste, selection, deletion, undo, and password-manager autofill work through native input behavior. | NIST supports password-manager and autofill use, paste support, display option, length expectations, no composition rules, protected channels, rate limits, and salted hashing. |
| Password reset | Choose password reset when an unauthenticated or partially authenticated user needs to regain account access by proving control of a recovery channel and setting a replacement password. | Submitting an identifier always leads to the same visible confirmation, regardless of whether an account exists. | NIST supports blocklist checks, password-manager and paste support, protected channels, hashing, and avoiding unsupported password rules during new-password setup. |
| Sensitive-data reveal | Choose sensitive-data reveal when a normally masked or redacted value needs a deliberate temporary reveal, hide, peek, copy, partial reveal, reauthentication, or audited access path. | The value is masked by default unless the user is actively entering it and the platform-specific control intentionally permits display. | Supports offering a display option for entered passwords, paste support, password-manager compatibility, and user control based on observation risk. |
Evidence Role
This source is treated as spec evidence. Use it to validate the decision rules above, not as a visual style reference.
Publisher: National Institute of Standards and Technology. Last checked: .