What changed in PCI-DSS v4.0 for passwords?

PCI-DSS v4.0 raised the minimum from 7 to 12 characters, increased lockout threshold to 10 attempts, and added a critical MFA exemption: accounts using MFA have no mandatory rotation requirement under Requirement 8.4.2.

What is entropy and why does it matter?

Entropy measures the password search space: H equals L times log base 2 of N where L is length and N is character pool size. Above 80 bits is strong; above 100 bits is very strong. All enterprise presets target 100 bits or more.

What is the difference between SHALL and SHOULD in NIST SP 800-63B?

SHALL is mandatory. SHALL NOT is a mandatory prohibition. SHOULD is a strong recommendation. The 2025 revision changed mandatory rotation to SHALL NOT — making it non-compliant to enforce periodic rotation without evidence of compromise.

How does the entropy bar calculate strength?

Entropy in bits is calculated as H equals L times log base 2 of N. The bar colour-codes the result: below 60 bits is weak, 60 to 80 moderate, 80 to 100 strong, above 100 very strong.

What does the PCI-DSS preset configure automatically?

The PCI-DSS v4.0 preset sets minimum length to 12 characters, enables alphabetic and numeric requirements, and displays a 90-day rotation reminder. The MFA variant removes the rotation note per Requirement 8.4.2.

Iron Vault Keys — Enterprise Policy-Compliant Generator

📋 Frameworks

Every major compliance standard

The Policy Builder auto-configures all settings for each framework. Adjust manually if your organisation applies stricter requirements.

NIST SP 800-63B 2025

NIST Guidelines

Min 15 chars. No composition rules. No mandatory rotation. Breach corpus checking required. The gold standard for government and enterprise.

PCI-DSS v4.0

Payment Card

Min 12 chars (Req 8.3.6). 90-day rotation without MFA; no rotation with MFA (Req 8.4.2). 10-attempt lockout (Req 8.2.8).

ISO/IEC 27001:2022

ISO 27001

Controls 5.16, 5.17, and 8.2. Organisation-defined requirements. Builder applies NIST-aligned defaults with 12-month history tracking.

HIPAA

Healthcare

45 CFR Part 164 does not specify a length. Builder applies NIST-aligned 15-char minimum per HHS guidance for ePHI systems.

Cyber Essentials

UK government scheme. Min 8 chars. No complexity rules. MFA mandatory where available. Rotation on compromise only.

📐 Framework Reference

Password requirements across major compliance frameworks

Select any preset in the Policy Builder above to auto-configure all parameters for your framework. Table reflects requirements as of May 2026.

Framework	Min Length	Rotation	MFA Rotation Exemption	Breach Check	Lock Threshold
NIST SP 800-63B 2025	15 chars	SHALL NOT	N/A — prohibited entirely	SHALL	Not specified
PCI-DSS v4.0 (no MFA)	12 chars	90 days	—	Not specified	10 attempts
PCI-DSS v4.0 (with MFA)	12 chars	Not required	✓ Req 8.4.2	Not specified	10 attempts
ISO/IEC 27001:2022	Org-defined	Org-defined	—	Recommended	Org-defined
HIPAA 45 CFR Part 164	Not specified	Periodic	—	Not specified	Not specified
Cyber Essentials (NCSC)	8 chars	On compromise only	MFA mandatory where available	Not specified	Not specified

Sources: NIST SP 800-63B July 2025 · PCI SSC v4.0 March 2022 · ISO/IEC 27001:2022 · HHS HIPAA guidance · NCSC Cyber Essentials 2024. Policy Builder presets map directly to rows in this table.

🔗 Enterprise Tools

Complete your compliance stack

ℹAffiliate disclosure: Some links earn us a commission. Full disclosure →

[ AFFILIATE SLOT 1 ]
1Password Business / Bitwarden Enterprise

Enterprise Password Manager

Vault, distribute, and audit credentials across the organisation. SOC 2, ISO 27001, and HIPAA compliant.

Enterprise Trial →

[ AFFILIATE SLOT 2 ]
CyberArk / BeyondTrust

Privileged Access Management

Vault, rotate, and audit privileged credentials automatically. Dual-control access and session recording for audit evidence.

PAM Demo →

[ AFFILIATE SLOT 3 ]
Qualys / Rapid7

Vulnerability Management

Password policy is one layer. Continuous vulnerability scanning identifies credential-related exposures across your environment.

Free Trial →

❓ FAQ

Frequently asked questions

NIST SP 800-63B 2025, PCI-DSS v4.0 (with and without MFA), ISO/IEC 27001:2022, HIPAA (45 CFR Part 164), and Cyber Essentials. Each preset auto-configures minimum length, character requirements, and rotation guidance.

Each item shows in real time whether the generated password meets a specific requirement — for example minimum length, character class requirements, and entropy threshold. Green tick = compliant. Red cross = the current configuration fails that requirement.

PCI-DSS v4.0 raised the minimum from 7 to 12 characters (Req 8.3.6), increased lockout threshold to 10 attempts (Req 8.2.8), and added a critical new exemption: accounts using MFA have no mandatory rotation requirement (Req 8.4.2).

No. HIPAA 45 CFR Part 164 does not prescribe specific lengths or character classes. However, HHS references NIST SP 800-63B for authentication guidance. The HIPAA preset applies 15 characters aligned with NIST 2025.

Entropy measures the password search space: H = L × log₂(N) where L = length and N = character pool size. The bar colour-codes the result: below 60 bits is weak, 60–80 is moderate, 80–100 is strong, above 100 is very strong. 131 bits at 20 characters with all classes is computationally infeasible.

No. All generation uses crypto.getRandomValues() entirely client-side. No password, policy setting, or input is transmitted. Open DevTools → Network while generating to verify — zero requests are made.

SHALL is a mandatory requirement — organisations implementing NIST 800-63B must comply. SHOULD is a strong recommendation. SHOULD NOT means the action is strongly advised against but not prohibited. SHALL NOT is an absolute prohibition. The 2025 revision changed mandatory rotation from SHOULD NOT to SHALL NOT — making it non-compliant to enforce periodic rotation without evidence of compromise.

The key is MFA deployment. NIST prohibits mandatory rotation. PCI-DSS v4.0 Req 8.4.2 removes the 90-day rotation requirement for accounts using MFA. With MFA on all accounts — CDE and general — both standards align on no periodic rotation. Set your minimum at 15 characters (satisfies both 12 and 15 requirements) and implement breach corpus checking. See the multi-framework reconciliation guide.

Entropy in bits is calculated as H = L × log₂(N), where L is the password length and N is the size of the character pool. A 16-character password using 95 printable ASCII characters has 105 bits of entropy. The bar colour-codes the result: below 60 bits is weak, 60–80 moderate, 80–100 strong, above 100 very strong. The Policy Builder targets 100+ bits for all enterprise presets.

The PCI-DSS v4.0 preset (without MFA) sets minimum length to 12 characters, enables alphabetic and numeric requirements, and displays a rotation note reminding you that 90-day rotation applies. The PCI-DSS with MFA preset sets the same length but removes the rotation note. Both set lockout notes at 10 attempts per Requirement 8.2.8.

👤 About

Written by GRC professionals

The Policy Builder and compliance guides on this site are written by Sarah Mitchell, a GRC consultant specialising in enterprise password policy for PCI-DSS, ISO 27001, HIPAA, and Cyber Essentials programmes across financial services, healthcare, and critical infrastructure.

Technical claims are sourced from primary framework documents — PCI SSC publications, NIST SP 800-63B, ISO/IEC 27001:2022, HHS HIPAA guidance, and NCSC Cyber Essentials. Content is updated when standards change.

Policy-compliant passwords.
Zero compliance gaps.

🔑 Policy Configuration