NIST SP 800-63B – Memorized secret (password) guidance

Memorized secrets are a type of authenticator that users are expected to remember. They are often used in conjunction with other authenticators, such as passwords and PINs, to provide a higher level of assurance of the user’s identity.

The NIST SP 800-63B guidelines for memorized secrets provide recommendations for how to design and implement such authenticators. These guidelines include the following:

* Memorized secrets should be at least 8 characters long and contain a mix of uppercase and lowercase letters, numbers, and symbols.

* Memorized secrets should not be easily guessed, such as the user’s name, birthday, or address.

* Memorized secrets should be changed regularly.

* Users should be encouraged to use a password manager to help them remember their memorized secrets.

The NIST SP 800-63B guidelines are designed to help organizations improve the security of their memorized secrets. By following these guidelines, organizations can help to reduce the risk of unauthorized access to their systems and data.

Here are some additional tips for creating strong memorized secrets:

* Use a phrase instead of a single word.

* Include numbers and symbols.

* Make it difficult to guess by avoiding common words and phrases.

* Don’t use the same memorized secret for multiple accounts.

* Change your memorized secrets regularly.

By following these tips, you can create strong memorized secrets that will help to protect your accounts and data.