U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

SP 800-118 (Retired Draft)

Guide to Enterprise Password Management

Date Published: April 2009
Comments Due: May 29, 2009 (public comment period is CLOSED)
Email Questions to: 800-118comments@nist.gov

Planning Note (4/1/2016):

This draft publication has been retired.


Karen Scarfone (Scarfone Cybersecurity), Murugiah Souppaya (NIST)


NIST announces that Draft Special Publication (SP) 800-118, Guide to Enterprise Password Management, has been released for public comment. SP 800-118 is intended to help organizations understand and mitigate common threats against their character-based passwords. The guide focuses on topics such as defining password policy requirements and selecting centralized and local password management solutions.
The public comment period closed on May 29, 2009.



authentication; enterprise systems; password management; security
Control Families

Identification and Authentication; Planning; Risk Assessment; System and Communications Protection; System and Information Integrity


Draft SP 800-118

Supplemental Material:
None available

Document History:
04/21/09: SP 800-118 (Draft)