What are the NIST SP 800-171 Password Requirements?

The password requirements for NIST SP 800-171 are not very specific, this allows organizations to establish their own password policy as long as it meets basic NIST SP 800-171 requirements.

Join our newsletter:
When CMMC 2.0 was announced on November 11th, 2021 most DoD contractors released sighs of relief. CMMC 2.0 addressed many of the industry's concerns around the original CMMC. These initial concerns included high costs for small businesses, complex security requirements, and potential conflicts of interest.

Word for Word NIST SP 800-171 Password Requirements:

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created.
3.5.8 Prohibit password reuse for a specified number of generations.
3.5.9 Allow temporary password use for system logons with an immediate change to a permanent password.

What does this mean?

You need to require the use of a password before you grant access to your system. All user accounts must be password protected.
You need to establish minimum password complexity requirements. NIST SP 800-171 doesn’t specify what they are, it only says that you must have password complexity requirements. In the DISA Security Technical Implementation Guide for Windows 10 the following requirements are recommended: Require passwords to be at least 14 characters in length, enable the built-in Microsoft password complexity filter, set the maximum password age to 60 days or less, and require passwords to expire. NIST no longer recommends that passwords are required to be reset periodically (e.g., every 60 days), instead it recommends that passwords are reset “if there is evidence of compromise” of the password.
So what should your password complexity requirements be? It is up to you. Pick what works best for your organization. Perhaps you go with a password length of 12 characters and never require it to be reset unless there is evidence that the password was compromised. You may also require that passwords contain mixed case letters, numbers, and special characters.
You must prohibit the reuse of passwords for a number of generations. The center for internet security recommends setting this to 24 generations. The DISA STIG for Windows 10 also recommends the same.
You must require that users change their passwords when they login with a temporary password. This is generally set when an admin changes a password for a user and sends them a temporary random password. When the user logs in using the password they are required to change it.


  • NIST SP 800-171 password requires are flexible
  • Make sure to require the use of passwords
  • Establish password complexity requirements
  • Prohibit the reuse of passwords
  • Require the use of a temporary password when you reset a password for a user
  • You can use guidance from the Center for Internet Security and NIST to help meet NIST SP 800-171 password requirements

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.