thePCI Portal

I am NISTy, do i still have to comply with password complexity requirement?

PCI DSS V3.2 Requirement 8.2.3 requires 7 character long passwords


8.2.3 Passwords/passphrases must meet the following:

  • Require a minimum length of at least seven characters.
  • Contain both numeric and alphabetic characters.
    Alternatively, the passwords/ passphrases must have complexity and strength at least equivalent to the parameters specified above.


I think its reasonable that if you implement ALL the guidance in NIST Special Publication 800-63B – Digital Identity Guidelines – authentication and Lifecycle Management, that’s a reasonable compensating control for a 6 character password that does not enforce the use of alphabetic AND numeric characters.

This would have to include the requirement that the system disallows a chosen password based on its appearance on a blacklist of compromised values.

(The word “password” is used for ease of discussion. Where used, it should be interpreted to include passphrases and PINs as well as passwords. A password is a “memorized secret”)

The introduction section of Appendix A of the NIST publication has a great overview to help you describe the risk mitigation.

Despite widespread frustration with the use of passwords from both a usability and security standpoint, they remain a very widely used form of authentication [Persistence]. Humans, however, have only a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed. To address the resultant security concerns, online services have introduced rules in an effort to increase the complexity of these memorized secrets. The most notable form of these is composition rules, which require the user to choose passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol. However, analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought [Policies], although the impact on usability and memorability is severe.
Complexity of user-chosen passwords has often been characterized using the information theory concept of entropy [Shannon]. While entropy can be readily calculated for data having deterministic distribution functions, estimating the entropy for user-chosen passwords is difficult and past efforts to do so have not been particularly accurate. For this reason, a different and somewhat simpler approach, based primarily on password length, is presented herein.
Many attacks associated with the use of passwords are not affected by password complexity and length. Keystroke logging, phishing, and social engineering attacks are equally effective on lengthy, complex passwords as simple ones. These attacks are outside the scope of this Appendix.

Ad below this line:

Leave a Reply