The Bitsight password policy follows the recommendations of the National Institute of Standards and Technology (NIST) (SP 800-63B) and is designed to balance security and usability.
We follow these guidelines:
- Passwords must be a minimum of 15 characters in length.
- The following are allowed:
- Printable ASCII characters
- Uppercase and lowercase letters
- Spaces
- All Unicode characters
- Emojis
- No specific character type or combination is required.
- Longer phrases are encouraged, rather than hard-to-remember or deceptively complex passwords.
Compromised password checks
- New passwords are checked against a list of known-compromised passwords that have appeared in publicly disclosed data breaches.
- If a compromised password is used, users will see the following error message:
- “The new password is not allowed because it appeared on a publicly disclosed list of passwords.”
Important notes
- Effective on January 30, 2026, this policy replaces the previous requirement of a minimum password length of 8 characters.
- Existing passwords are not automatically invalidated by this change.
- The 15-character minimum applies when:
- Creating a new password
- Resetting a password
- January 30, 2026: Published password policy changes.
- November 30, 2021: Reviewed.
- June 25, 2019: Published.
Feedback
2 comments
Please provide the list of "publicly exposed passwords" which you are going to be checking against, so we know what is and is not acceptable instead of having to guess at that criterion's requirements while making a new password.
Hi Ben, We use a list that is too large for us to make available in a practical fashion (millions of entries), but to get an idea, it is similar to the one at https://haveibeenpwned.com/
Please sign in to leave a comment.