Password Policy Enforcement
Server-side enforcement of password requirements including minimum length, complexity, breach database checks, and history to prevent weak or compromised passwords.
Description
Password policy enforcement is the implementation of rules governing password creation and management, applied server-side to ensure all passwords meet security requirements regardless of client-side validation. Modern password policies follow NIST SP 800-63B guidelines, which recommend a minimum length of 8 characters (preferably 12+), a maximum length of at least 64 characters, support for all printable characters including spaces, and checking passwords against lists of commonly used, expected, or compromised passwords.
NIST's current guidelines notably diverge from traditional practices: they recommend against mandatory complexity rules (uppercase, lowercase, number, special character) because these lead to predictable patterns (Password1!) and user frustration. Instead, the focus is on length (passphrases are more secure and memorable than short complex passwords) and screening against breach databases. The Have I Been Pwned (HIBP) API provides a k-anonymity-based approach to check passwords against billions of breached credentials without sending the full password over the network.
Implementation should include server-side validation that rejects passwords below minimum length, checks against a dictionary of common passwords (at least the top 100,000), queries the HIBP Passwords API using the k-anonymity range search (send first 5 characters of the SHA-1 hash, receive matching suffixes), enforces password history (prevent reuse of the last N passwords), and provides clear feedback about why a password was rejected. Client-side, use a strength estimator like zxcvbn to give real-time feedback. Rate-limit password change attempts and require current password verification before allowing changes.
Prompt Snippet
Implement password policy enforcement following NIST SP 800-63B. Enforce minimum 12 characters, maximum 128 characters, allow all Unicode and spaces. Check against the HIBP Passwords API using k-anonymity (SHA-1 hash the password, send first 5 chars to api.pwnedpasswords.com/range/{prefix}, check if suffix appears in results). Maintain a password_history table storing the last 10 hashed passwords per user to prevent reuse. Use zxcvbn on the client for real-time strength feedback. Reject passwords matching the username, email, or common dictionary words. Return specific rejection reasons in the API response for UX clarity.Tags
Related Terms
Password Hashing (bcrypt/argon2)
The practice of transforming passwords into irreversible hashes using intentionally slow, memory-hard algorithms to protect credentials at rest.
Account Lockout Policy
A security policy that temporarily or permanently disables an account after a defined number of consecutive failed authentication attempts to prevent brute-force attacks.
Brute Force Protection
A set of defense mechanisms that detect and block automated high-volume authentication attempts aimed at guessing credentials through exhaustive trial.
Multi-Factor Authentication (MFA)
An authentication method requiring users to provide two or more verification factors from different categories (knowledge, possession, inherence) to gain access.
Audit Logging for Auth Events
Comprehensive, tamper-evident logging of all authentication and authorization events to support security monitoring, incident investigation, and compliance requirements.