Aeries hosted districts are subject to certain password requirements by default.


However, Aeries non-hosted districts can set custom password requirements by user type. See Configure Aeries Password RequirementsAeries strongly encourages districts to follow guidelines and best practices recommended by the National Institute of Standards and Technology (NIST) when establishing password requirements.


NIST Digital Identity Guidelines were last updated August 2024 (SP 800-63).


The summarized information below is for informational purposes only. See NIST Digital Identity Guidelines for complete information. 



  • Eliminate periodic password changes.

    Current Recommendation: Avoid requiring users to frequently change their password unless there is evidence of a compromise. Previously, users were encouraged to change their passwords periodically (such as every 90 days), which often resulted in weaker passwords and predictable patterns.


  • Choose longer passwords (passphrases) over complex passwords, and avoid strict composition rules.

    Current Recommendation: Choose an easy-to-remember passphrase containing between 16-64 characters which can include spaces and any ASCII or Unicode characters. Avoid incremental characters (such as 1111 or abcd). Previously the emphasis was on complexity with a mix of uppercase, lowercase, numbers, and special characters which were difficult for users to remember.


  • Prevent use of common passwords.

    Current Recommendation: Check all passwords against a list of commonly used, expected, or compromised passwords. Previously passwords were primarily checked for length and character requirements but did not prevent easily guessable passwords.


  • Encourage use of Password Managers for password storage.

    Current Recommendation: Maintain a unique password for each account, and store passwords in a reputable password manager. Previously there was no guidance on this practice and password reuse was common.


  • Use multifactor authentication (MFA).

    Current Recommendation: Add a layer of security through multifactor authentication (MFA), particularly for sensitive accounts and systems, which can significantly limit the risk of unauthorized access even if a password is compromised. Previously MFA was recommended but not emphasized for all accounts.


  • Use rate limiting rather than account lockouts.

    Current Recommendation: Stop locking out users out after failed login attempts. Instead, implement delayed responses (require the user to wait a certain amount of time) to mitigate brute force and denial-of-service attacks. Previously users were often locked out of their accounts unnecessarily, requiring technical assistance to recover.