This site is a demo for the nist-password-validator library. (v 3.0.1)

A lightweight, zero-dependencies open-source password validator according to NIST guidelines.

Check out the GitHub repository for more information. leave a star ⭐ if you like it!

NIST Password Validator

Password Input

Strong Passwords, Simplified
NIST has updated its password guidelines to prioritize simplicity and security.
Forget complex rules and focus on length.

Length is Key: Aim for at least 8 characters, the longer the better.
Creative Freedom: Use any printable characters: letters, numbers, symbols, spaces, emojis 😁, or other languages (אפילו עברית).
Unique and Unpredictable: Avoid dictionary words, personal information, or anything related to the app or service.
Memorability Matters: Use memorable passphrases that are easy for you to remember but difficult for others to guess.

for more information see below 👇

Validation Options

Minimum Length:

Maximum Length:

HIBP Check:

Trim Whitespace:

Error Limit: (Amount of errors to check before stopping)

Blocklist Options

Blocklist (comma-separated):

Matching Sensitivity:

Max Edit Distance:

Password Security Guidelines

HIBP (Have I Been Pwned)

HIBP (Have I Been Pwned) checks whether your password appears in known data breaches, aligning with NIST guidelines. These guidelines recommend verifying passwords against breach databases to prevent the reuse of compromised passwords.

The HIBP database contains nearly 1 billion unique passwords. While this number might seem large, a hacker with a modern computers can try them all within seconds using brute-force. Avoid using passwords found in such databases to enhance your security.

Context-Specific Password Blocklists

Context-specific password blocklists, in compliance with NIST guidelines, help ensure stronger password choices by disallowing predictable or commonly used passwords.

Common dictionary words
Company-specific terms
Context-specific phrases (e.g., project names)
Users personal information (e.g., name, email, date of birth)

NIST Guidelines Key Points (SP 800-63B)

View NIST Guidelines
Passwords must be at least 8 characters long (15 characters or more recommended).
Allow passwords up to at least 64 characters.
Support all printable ASCII characters and spaces.
Unicode characters are recommended, with each code point counted as one character.
Avoid enforcing composition rules (e.g., requiring a mix of character types).
Do not require periodic password changes unless there is evidence of compromise.
Do not allow password hints accessible to unauthenticated users.
Avoid using knowledge-based authentication (KBA) as part of password verification.
Always validate the full password as submitted; do not truncate or alter it.
May remove leading and trailing whitespace from passwords to prevent user errors. Length validation occurs after trimming