Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-118 (Initial Public Draft)

Guide to Enterprise Password Management

Date Published: April 2009
Comments Due: May 29, 2009 (public comment period is CLOSED)
Email Questions to:

Planning Note (04/01/2016):

This draft publication has been retired.


Karen Scarfone (Scarfone Cybersecurity), Murugiah Souppaya (NIST)


NIST announces that Draft Special Publication (SP) 800-118, Guide to Enterprise Password Management, has been released for public comment. SP 800-118 is intended to help organizations understand and mitigate common threats against their character-based passwords. The guide focuses on topics such as defining password policy requirements and selecting centralized and local password management solutions.
The public comment period closed on May 29, 2009.



authentication; enterprise systems; password management; security
Control Families

Identification and Authentication; Planning; Risk Assessment; System and Communications Protection; System and Information Integrity


Draft SP 800-118 (pdf)

Supplemental Material:
None available

Document History:
04/21/09: SP 800-118 (Draft)