Password Policy Generator

Generate compliance-aligned password policies with PAM configuration snippets

Compliance framework

Password requirements

Minimum length

Maximum length

Strength

Require uppercase letters (A-Z)

Require lowercase letters (a-z)

Require digits (0-9)

Require special characters (!@#$%…)

Allow passphrases (multi-word)

Screen against breached password lists

Password history & aging

Remember last N passwords

Minimum age (days)

Maximum age (days) 0 = no expiration

Account lockout

Failed attempts before lockout

Lockout duration (minutes)

Reset counter window (minutes)

Additional security

Require multi-factor authentication

MFA method (if enabled)

Password Policy Document

PAM Configuration

Enforce password policies automatically

OnePAM handles MFA enforcement across all protocols — SSH, RDP, databases, and web apps. No more manually configuring PAM or AD policies.

Start Free Trial

Frequently Asked Questions

Common questions about password policies and best practices

Why does NIST 800-63B recommend against password expiration?

NIST Special Publication 800-63B (2017, updated 2024) found that forced periodic password changes lead to weaker passwords — users tend to make minimal, predictable changes (e.g., Password1 → Password2). Instead, NIST recommends changing passwords only when there is evidence of compromise, combined with breached-password screening and MFA. This approach results in stronger passwords that users can actually remember.

What minimum password length do compliance frameworks require?

Requirements vary by framework: NIST 800-63B requires a minimum of 8 characters (15+ recommended for memorized secrets). PCI DSS v4.0 requires 12 characters minimum (up from 7 in v3.2). HIPAA doesn't specify a length but references NIST guidelines. SOC 2 typically follows NIST recommendations. For best security, aim for at least 12 characters or encourage passphrases of 4+ words.

Are passphrases more secure than complex passwords?

Yes, in most cases. A passphrase like "correct horse battery staple" (25 characters) has significantly more entropy than "P@$$w0rd!" (9 characters), even without special character requirements. Passphrases are easier to remember, harder to brute-force, and less likely to be written down. NIST 800-63B explicitly supports passphrases and recommends allowing spaces and long maximum lengths (at least 64 characters).

How does breached password screening work?

Breached password screening checks new passwords against databases of credentials exposed in known data breaches (like the Have I Been Pwned dataset with billions of compromised passwords). This can be done using k-anonymity APIs that send only a partial hash prefix, preserving user privacy. NIST 800-63B requires this check, and services like Have I Been Pwned provide free APIs for implementation.

Should I enforce complexity rules or just minimum length?

Modern security guidance (NIST 800-63B) recommends focusing on minimum length over complexity rules. Complexity requirements (uppercase, digit, special char) often lead to predictable patterns (Password1!). A longer password with no complexity rules typically has more entropy. However, some compliance frameworks like PCI DSS still require complexity. The best approach combines reasonable length (12+), breached password screening, and MFA.