Password Security Compliance Checklist

By Bryan Giese

Password Security Compliance Checklist

Right or wrong, usernames and passwords have been a critical component of website and application security for years. However, weak passwords can result in a costly data breach if compromised. To help ensure stronger password security, leading organizations like the National Institute for Standards and Technology have published clear criteria to discourage users from selecting easy to guess passwords. We have assembled those criteria into one checklist of key password recommendations to help you evaluate and improve your own password policies, and to help initiate critical conversations with your engineering, security, and governance teams.

Legally Required Password Constraints

According to Verizon’s Data Breach Investigations Report, 81% of hacking-related breaches took advantage of stolen and/or weak passwords. Financial, healthcare, and public sector organizations accounted for half of those breaches. With over four billion credentials stolen in 2019 and the impact of a data breach averaging $3.86 million per incident, password strength has emerged as an effective strategy to benefit overall security. In fact, many organizations are required by law to enforce strict password constraints and requirements. These password requirements are based on extensive study of the mathematical principles of password entropy and are proven to construct stronger passwords. They combine a variety of strategies including:

  • Minimum and maximum character counts
  • Uppercase and lowercase letter requirements
  • Numeric and special character requirements
  • Time-based password resets
  • Password re-use policies

You can use the following checklist to keep track of your compliance with each of the standards. Anything you check off will be saved in local storage, so you can come back later and pick up where you left off.

FDA (U.S. Food and Drug Administration)

The FDA regulates food, drugs, biologics, medical devices, electronic products (that give off radiation), cosmetics, veterinary products, and tobacco products.

HIPAA (Health Insurance Portability and Accountability Act)

Any organization that deals with protected health information (PHI) must ensure HIPAA compliance.

PCI DSS (Payment Card Industry Data Security Standard)

Any organization that deals with payment card data must be PCI compliant-whether payment card processing is the company’s primary function or not.

SOC2 (Service Organization Control)

Established by the AICPA (American Institute of CPAs), SOC 2 applies to all companies using the cloud to store customers’ information.

NIST (United States National Institute for Standards and Technology)

Updated in 2019, NIST produces guidelines to help federal agencies meet the requirements of the FISMA (Federal Information Security Management Act), however other organizations reference NIST for strong security standards. The NIST guidelines were updated in 2019. NIST sets the precedence and these standards often trickle down to other regulations such as HIPAA and SOC. It is likely there will be a shift in favor of password length and user friendliness.


Password security is a vital part of compliance and helps organizations protect user data and maintain customer trust. While these password requirements won’t eliminate all your password issues, they will go a long way to make your system more secure from the most common hacking attacks. Be sure your identity solution has built-in capabilities to help you stay up-to-date with frequently changing password compliance requirements. It will help strengthen password security, keep your customer information secure, and keep your business thriving.