Password best practices — SY0-701
Security+ SY0-701 password best practices: what NIST requires (blocklists, salted hashing) and what it prohibits (composition rules, forced rotation).
WHAT IT IS
A password (formally called a memorized secret in NIST SP 800-63-4) is "a type of authenticator consisting of a character string that is intended to be memorized or memorable by the subscriber to permit the claimant to demonstrate something they know as part of an authentication process." Password best practices are the design and operational controls that verifiers and credential service providers (CSPs) apply to make memorized-secret authenticators resistant to guessing, credential stuffing, and offline cracking attacks.
Mental model
Think of password best practices as two separate jobs with two separate audiences:
- User-facing controls govern what subscribers are allowed to create and enter (length floors, character acceptance, paste support, display-while-typing option).
- System-side controls govern what verifiers do after the password is submitted (blocklist checking, salted hashing, rate limiting, storage).
The exam tests whether you can place a control in the right job. Mandatory complexity characters (uppercase + symbol + number) are a user-facing restriction — and current NIST guidance explicitly prohibits them. Salting and hashing are system-side — the subscriber never sees them.
When to use it
The table below contrasts the legacy approach (still common in deployed systems and in many incorrect exam answer choices) with the NIST SP 800-63B approach that current security operations guidance reflects.
| Control | Legacy practice | NIST SP 800-63B-4 guidance |
|---|---|---|
| Minimum length (single-factor) | 8 characters | At least 15 characters |
| Minimum length (MFA context) | 6–8 characters | At least 8 characters |
| Maximum length | Often 16–20 characters | Verifiers should permit at least 64 characters |
| Composition rules (e.g., must include uppercase, symbol) | Required | Verifiers shall not impose composition rules |
| Periodic forced reset | Every 60–90 days | Shall not require periodic resets; change only on evidence of compromise |
| Blocklist of known-bad passwords | Rarely used | Shall compare prospective passwords against a blocklist (breach corpora, dictionary words, context-specific words) |
| Password hints | Common ("first pet?") | Shall not permit hints accessible to unauthenticated claimants |
| Security questions (KBA) | Common recovery method | Shall not use knowledge-based authentication for password selection |
| Paste / password manager support | Often blocked | Verifiers shall allow paste and autofill; should permit the 'paste' function |
| Storage | Sometimes plaintext or MD5 | Shall salt and hash using an approved password hashing scheme |
COMMON MISCONCEPTION
The trap: "Strong passwords require uppercase letters, numbers, and special characters."
This is the most deeply embedded myth in the field, and it is what NIST SP 800-63B-4 explicitly rejects. The guidance states that verifiers "shall not impose other composition rules (e.g., requiring mixtures of different character types) for passwords." The reason is grounded in how attackers actually operate: composition rules lead users toward predictable substitution patterns (P@ssw0rd!) that are well-represented in breach corpora, while doing nothing to prevent credential stuffing from those same corpora.
The effective countermeasure is blocklist checking — comparing the candidate password against known-compromised passwords — not forcing character-class mixing.
A second common trap is mandatory periodic expiration. NIST 800-63B-4 states that verifiers "shall not require subscribers to change passwords periodically." Forced rotation causes users to make incremental, predictable changes that offer little real security gain. Passwords should be changed when there is evidence of compromise, not on a calendar schedule.
How it shows up on the exam
Exam questions in this area test application and analysis more than recall. Candidates are typically given a scenario describing an organizational policy and asked to identify which element is inconsistent with current best practices, or which control addresses a specific threat (e.g., credential stuffing, offline cracking, brute force).
Signal phrases to recognize:
- "Must contain at least one uppercase, one number, and one special character" — this describes a composition rule that current NIST guidance prohibits; it is not a best practice.
- "Users must reset their passwords every 90 days" — this describes mandatory periodic expiration, which current NIST guidance also prohibits absent evidence of compromise.
- "Passwords are checked against a list of known-compromised credentials" — this describes blocklist checking, which current guidance requires.
- "Passwords are stored using a salted hash" — this is the required storage approach; a non-salted hash or reversible encryption is not.
Candidates frequently confuse what the verifier must do (blocklist check, salted hash, rate-limit) with what the user must do (nothing beyond meeting the minimum length). The guidance places most of the burden on the system, not the subscriber.
Related concepts
- Identity Lifecycle — covers how memorized secrets are established, updated, and revoked across the full account lifecycle.
- Federation and SSO — addresses how authentication events, including those using memorized secrets, are asserted across trust boundaries.
- Access Control Models — covers what happens after successful authentication: how access decisions are made based on verified identity.
Sources
Every claim on this page traces to the public exam blueprint and official documentation: