NIST-800-63-3B Password-Vetting Compliance

Monday, January 01 | 12:00AM–12:00AM CT
Session Type: Breakout Session
Delivery Format: Lightning Talk Presentation
In June 2017, NIST Special Publication 800-63-3B established new guidelines regarding how organizations should vet user passwords. Rather than password composition policies that require a certain number of character sets, NIST now recommends that organizations check passwords against a list of banned passwords and reject those that are found on the list. As of July 2018, the list of known compromised passwords numbers more than half a billion strings. This presentation will demonstrate how to solve this problem at all levels of the organization and also share a specific technical solution using a Bloom filter at Virginia Tech.

Outcomes: Understand the drastic password-vetting changes introduced by NIST 800-63-3B as of June 2017 * Learn how these changes will impact every level of your organization and how to adapt * Learn how to solve the technical challenges brought about by the changes with a hybrid solution


  • Randy Marchany

    University IT Security Officer, Virginia Tech
  • Richard Tilley

    Senior Security Architect, Virginia Tech