The Science of Password Strength: What NIST SP 800-63B Actually Says
Why "Change Your Password Every 90 Days" Was Bad Advice
For decades, IT departments worldwide enforced mandatory password rotation — typically every 30, 60, or 90 days. The intuition seemed sound: frequent changes limit the window of exposure if a password is compromised. The actual outcome was the opposite.
In 2017, the National Institute of Standards and Technology (NIST) published SP 800-63B (Digital Identity Guidelines: Authentication and Lifecycle Management), revised again in 2024, which explicitly abandoned the recommendation for periodic password changes. NIST's position is based on behavioral data: when forced to change passwords frequently, users predictably choose weaker passwords and make trivial incremental changes ("Summer2024!" → "Summer2025!") that provide minimal additional security.
This article covers what NIST SP 800-63B actually recommends, the mathematics of password entropy, the zxcvbn algorithm that powers realistic strength evaluation, and the practical hierarchy of authentication security in 2024.
Password Entropy: The Mathematics of Unpredictability
Entropy (borrowed from information theory) quantifies how difficult a password is to guess. It is measured in bits. Each additional bit doubles the number of guesses required to crack the password.
The Entropy Formula
Entropy (bits) = length × log₂(character set size)
| Character set | Set size | Entropy per character |
|---|---|---|
| Digits only | 10 | 3.32 bits |
| Lowercase letters | 26 | 4.70 bits |
| Upper + lowercase | 52 | 5.70 bits |
| Upper + lower + digits | 62 | 5.95 bits |
| Upper + lower + digits + symbols (94 printable) | 94 | 6.55 bits |
Example: 12-character random password using the full 94-character set:
Entropy = 12 × 6.55 = 78.6 bits
Practical benchmarks:
- < 40 bits: Weak — crackable in minutes to days with consumer hardware
- 40–60 bits: Moderate
- 60–80 bits: Strong (NIST target range)
- 80+ bits: Very strong
The length vs. complexity trade-off:
8 chars (upper + lower + digits + symbols): 8 × 6.55 = 52.4 bits
16 chars (lowercase only): 16 × 4.70 = 75.2 bits
A 16-character lowercase password has 23 more bits of entropy than an 8-character "complex" one. This is why NIST's 2024 guidelines prioritize length (minimum 8, recommended 15+) over complexity requirements.
The Critical Limitation of Entropy
Entropy assumes truly random character selection. Human-generated passwords are not random. They follow predictable patterns: capitalization at the start, numbers and symbols at the end, common substitutions (a→@, o→0), dictionary words, keyboard walks (qwerty, asdf1234), dates, and names.
A password like "Tr0ub4dor&3" has a theoretical entropy of ~71 bits but is far weaker in practice because it follows patterns that modern cracking tools are designed to detect.
zxcvbn: Modeling Realistic Attack Scenarios
To bridge the gap between theoretical entropy and real-world crackability, Dropbox engineer Dan Wheeler developed zxcvbn (published at USENIX Security 2016). Rather than calculating theoretical entropy, zxcvbn asks: how many guesses would a sophisticated attacker need?
What zxcvbn Detects
zxcvbn breaks the password into tokens and identifies the cheapest-to-crack interpretation of each:
- Dictionary matches: Common English words, names, common passwords from leaked credential lists (including the RockYou database of 14 million real-world passwords)
- Date patterns: Years 1900–2050, common date formats (MMDDYYYY, YYYY-MM-DD, etc.)
- Keyboard patterns: qwerty, asdfgh, zxcvbn, qazwsx, and similar keyboard walks
- Repeats:
aaaaaa,abcabc - Sequences:
abcde,12345,fedcba - Capitalization patterns: First-letter cap, all caps, no caps — only the deviation from the most common pattern is counted
- Common substitutions: a→@, e→3, i→1, o→0, s→$, z→2
For each token, zxcvbn estimates the number of guesses required and sums across the whole password. The result is an estimated guess count and a score from 0 (very weak) to 4 (very strong).
A Practical Example
P@ssw0rd1 — visual inspection suggests complexity:
- Contains uppercase, lowercase, digits, symbols
- 9 characters long
- Theoretical entropy: ~59 bits
zxcvbn analysis:
- Dictionary match: "password" (rank 2 in common password lists)
- Common substitutions detected: a→@, o→0
- Trailing digit pattern detected
- Estimated score: 1 (weak) — approximately 100–10,000 guesses needed
correct-horse-battery-staple — appears simple:
- Lowercase only, 4 dictionary words
- Theoretical entropy (treating as a word-based passphrase): ~44 bits
zxcvbn analysis (if the four words were chosen randomly):
- No common pattern matches across the sequence
- Estimated score: 4 (very strong) — billions of guesses needed
The Password Strength Checker on this site uses zxcvbn, giving you a realistic assessment rather than a false sense of security from symbol inclusion alone.
Dictionary Attacks vs. Brute Force: How Passwords Are Actually Cracked
Brute Force Attacks
Systematically try every possible combination. Resistant only to length and character set size.
Modern GPU cracking speed estimates (2024, MD5 hashing):
| Password | Character set | Combinations | Time to crack (estimate) |
|---|---|---|---|
| 8 chars | 62 (alphanumeric) | 218 trillion | Minutes to hours |
| 10 chars | 62 | 839 quintillion | Years |
| 12 chars | 62 | 3.2 sextillion | Millions of years |
| 12 chars | 94 (full printable) | 475 sextillion | Extremely long |
Important caveat: These figures assume MD5 — which no well-designed system should use for password storage. bcrypt, scrypt, and Argon2id are designed to be deliberately slow, making brute force attacks orders of magnitude more expensive regardless of GPU speed. The OWASP Password Storage Cheat Sheet recommends Argon2id as the primary choice for new systems.
Dictionary and Rule-Based Attacks (The Real Threat)
Modern password crackers (Hashcat, John the Ripper) don't rely on pure brute force for typical passwords. They use:
- Wordlists: Millions of real-world passwords from data breaches (RockYou, Collection #1-5, etc.)
- Rules: Systematic transformations — append years, toggle case, apply common substitutions
- Combinator attacks: Concatenate pairs of words from two wordlists
- Markov chains: Generate statistically likely character sequences based on real password patterns
A sufficiently rule-augmented dictionary attack will crack "P@ssw0rd2024!" in minutes, despite its apparent complexity.
Have I Been Pwned and Credential Stuffing
Troy Hunt's Have I Been Pwned (HIBP) database contained over 13 billion breached password records as of 2024. Attackers don't start with dictionary rules — they start with actual breached credentials. If your password appeared in any historical breach, it is in attack dictionaries regardless of its apparent complexity.
NIST SP 800-63B explicitly recommends checking new passwords against breach lists: "Verifiers SHALL compare the prospective secret against a list that contains values known to be commonly-used, expected, or compromised. If the chosen secret is found in the list, the verifier SHALL advise the subscriber that they need to select a different secret."
NIST SP 800-63B: What the 2024 Guidelines Actually Say
What NIST Recommends
The 2024 revision of SP 800-63B specifies these requirements for memorized secrets:
- Minimum length: 8 characters (verifiers SHOULD support 64+ characters)
- All Unicode characters including spaces SHALL be accepted
- No composition rules (must-include uppercase/digit/symbol requirements are out)
- No password hints or knowledge-based authentication (security questions)
- No mandatory periodic changes unless there is evidence of compromise
- Paste functionality SHALL NOT be prevented in password fields
- Rate limiting: No more than 10 failed attempts without adding friction (CAPTCHA, lockout, etc.)
- Breach screening: Compare against known-compromised password lists
What NIST No Longer Recommends
| Old "Best Practice" | Why NIST Abandoned It |
|---|---|
| Mandatory 90-day rotation | Users make trivial incremental changes; weakens passwords overall |
| Complexity rules (uppercase + number + symbol) | Produces predictable patterns like "P@ss1word!" |
| Password hints | Hints provide attackers with useful information |
| Security questions | Answers are often guessable or publicly available |
| Blocking paste | Prevents password manager use; increases weak-password behavior |
CISA's 2024 Secure by Design guidance aligns with NIST, adding a recommendation for 15+ character minimum lengths and default MFA enrollment.
Passphrases: Why "correct horse battery staple" Works
XKCD comic 936 (August 2011) popularized the passphrase concept and remains a clean illustration of the underlying math. A passphrase combines multiple random words into a memorable sequence.
The Diceware method (invented by Arnold Reinhold) uses physical dice to select words from a numbered word list. Five rolls of five dice produces a 5-digit code; each code maps to one word. The randomness is physical, not algorithmic.
With a ~7,776-word Diceware list (5 dice rolls), each word contributes log₂(7,776) ≈ 12.9 bits of entropy:
| Word count | Entropy | Estimated crack time |
|---|---|---|
| 4 words | ~51.7 bits | Very hard |
| 5 words | ~64.6 bits | Extremely hard (NIST-recommended range) |
| 6 words | ~77.5 bits | Effectively uncrackable |
A 6-word Diceware passphrase is more secure than any 12-character random password from a 94-character set, and dramatically easier to memorize.
Avoid: phrases from songs, quotes, idioms, or anything with cultural familiarity. The value comes from randomness, not length alone.
MFA: Authentication Assurance Levels
Passwords alone are insufficient for protecting high-value accounts. NIST SP 800-63B defines three Authentication Assurance Levels (AAL):
| AAL | Requirements | Use case |
|---|---|---|
| AAL1 | Single factor (password) | Low-risk systems |
| AAL2 | Two factors required | Most enterprise and high-value consumer systems |
| AAL3 | Hardware-bound authenticator + verifier impersonation resistance | Government, high-security |
MFA Method Comparison
| Method | NIST Classification | Phishing resistant? | Notable weakness |
|---|---|---|---|
| SMS OTP | Restricted (AAL2) | No | SIM swap, SS7 interception |
| Email OTP | Not explicitly rated | No | Compromised email account |
| TOTP app (Authy, Google Auth) | AAL2 | Partially | Real-time phishing (AiTM) |
| FIDO2/WebAuthn hardware key | AAL2–3 | Yes | Physical key loss |
| Passkey (FIDO2, device-bound) | AAL2–3 | Yes | Device loss (mitigated by sync) |
NIST SP 800-63B classifies SMS OTP as a "restricted authenticator" and notes that agencies using it must have a migration plan to more secure methods. The vulnerability: SIM swap attacks (convincing a carrier to transfer a phone number) and SS7 protocol interception can intercept SMS codes.
Passkeys (FIDO2 with device biometrics) represent the current state-of-the-art for consumer authentication: phishing-resistant, no password to steal, synced across devices via iCloud Keychain, Google Password Manager, or 1Password.
Password Managers: The Only Realistic Solution
Fully implementing NIST's recommendations — unique, random 15+ character passwords for every service — is humanly impossible without a password manager. The math is simple: a person with 100 online accounts cannot memorize 100 unique 20-character random strings.
A well-designed password manager addresses this with zero-knowledge encryption: the vault is encrypted locally using a key derived from the master password. The service provider never has access to plaintext passwords — even in the event of a server breach.
Recommended options:
| Manager | Architecture | Open source | Notable feature |
|---|---|---|---|
| Bitwarden | Cloud / self-hosted | Yes | Independent audit, free tier |
| 1Password | Cloud | No | Travel mode, family sharing |
| KeePassXC | Local only | Yes | Fully offline, no account required |
Master password requirements: The master password protects everything. Use a 6-word Diceware passphrase (minimum), stored as a physical backup in a secure location. Never reuse it anywhere else.
Practical Recommendations Summary
| Priority | Action |
|---|---|
| 1 | Enable FIDO2/passkey on every service that supports it |
| 2 | Use a password manager with a strong master passphrase |
| 3 | Set unique 16+ character random passwords for all accounts |
| 4 | Enable TOTP MFA where passkeys aren't available |
| 5 | Check accounts at haveibeenpwned.com; change any breached passwords |
| 6 | Ignore complexity rules; focus on length and uniqueness |
| 7 | Do NOT rotate passwords on a fixed schedule unless breached |
Use the Password Strength Checker to evaluate your current passwords with zxcvbn-based analysis, and the Password Generator to create cryptographically random replacements.
References
- NIST. SP 800-63B: Digital Identity Guidelines — Authentication and Lifecycle Management, 3rd Revision. 2024. https://pages.nist.gov/800-63-4/sp800-63b.html
- OWASP. Password Storage Cheat Sheet. https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
- Wheeler D. zxcvbn: Low-Budget Password Strength Estimation. USENIX Security 2016. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler
- CISA. Secure by Design. 2024. https://www.cisa.gov/securebydesign
- Hunt T. Have I Been Pwned. https://haveibeenpwned.com/
- Reinhold A. Diceware Passphrase FAQ. https://theworld.com/~reinhold/diceware.html
- Munroe R. XKCD 936: Password Strength. 2011. https://xkcd.com/936/
Disclaimer: This article is for general informational purposes and does not constitute professional security advice. System-specific authentication requirements depend on regulatory context, threat model, and organizational risk tolerance. Consult a qualified security professional for guidance on production systems.