800-63BDigital Identity Guidelines
Authentication and Lifecycle Management
Veriﬁers SHALL require subscriber-chosen memorized secrets
to be at least 8 characters in length. Veriﬁers SHOULD permit
subscriber-chosen memorized secrets at least 64 characters in
All printing ASCII [RFC 20] characters as well as the space
character SHOULD be acceptable in memorized secrets.
Unicode [ISO/ISC 10646] characters SHOULD be accepted as
Veriﬁers SHOULD NOT impose other composition rules (e.g.,
requiring mixtures of diﬀerent character types or prohibiting
consecutively repeated characters) for memorized secrets.
Veriﬁers SHOULD NOT require memorized secrets to be
changed arbitrarily (e.g., periodically).
Many graphics from The Noun Project
Bear by Gan Khoon Lay; Computer Fire by Ian Ransley; Computer by Azis; Credit
card Gonzalo Bravo; Fingerprint by Ben Davis; Lock with keyhole by Brennan
Novak; Marker by Jeﬀ Seevers; Nokia 3310 by Stan Fisher; Notiﬁcation by vijay
sekhar; Shield by Wayne Thayer; Spy by Alen Krummenacher; iPhone by Ross