HEXL
Catalog/security-password-policy

Security

Password policy scorer vs NIST 800-63B API

Scores a PROVIDED password policy object against NIST SP 800-63B: rewards long minimums (>=12), allowing >=64 chars, breached-password screening, rate-limiting/lockout, and penalizes forced periodic rotation and composition rules (which NIST advises against), returning per-check pass/fail findings + severity + remediation and a 0-100 alignment score with a letter grade. Answers 'Does this password policy meet NIST 800-63B?','Is forced rotation hurting us?'.

Price$0.01per request
MethodPOST
Route/v1/security/password-policy
StatusLive
MIME typeapplication/json
Rate limit120/minute
CacheNo cache
securitypasswordnistpolicyauthenticationcompliancescoringidentity
API URLhttps://x402.hexl.dev/v1/security/password-policy
Integration docs
Example request
{
  "policy": {
    "minLength": 8,
    "maxLength": 64,
    "blockBreached": false,
    "requireUppercase": true,
    "maxAgeDays": 90,
    "lockoutThreshold": 5
  }
}
Example response
{
  "score": 40,
  "grade": "F",
  "standard": "NIST SP 800-63B",
  "checksEvaluated": 6,
  "checksPassed": 2,
  "checksFailed": 3,
  "findings": [
    {
      "id": "min-length",
      "status": "partial",
      "severity": "medium",
      "title": "minLength is 8 (meets NIST floor of 8 but <12)",
      "remediation": "Raise minimum length to at least 12 characters."
    },
    {
      "id": "breach-screening",
      "status": "fail",
      "severity": "high",
      "title": "Does not screen against breached-password lists",
      "remediation": "Check new passwords against a compromised-password corpus (e.g. HIBP/k-anonymity)."
    },
    {
      "id": "no-forced-rotation",
      "status": "fail",
      "severity": "medium",
      "title": "Forces periodic rotation (every 90 days)",
      "remediation": "Remove time-based expiry; NIST 800-63B says only rotate on evidence of compromise."
    },
    {
      "id": "no-composition-rules",
      "status": "fail",
      "severity": "low",
      "title": "Imposes character-composition rules (upper/number/special)",
      "remediation": "Drop composition requirements; they reduce entropy in practice. Rely on length + breach screening."
    }
  ]
}
Input schema
{
  "type": "object",
  "required": [
    "policy"
  ],
  "properties": {
    "policy": {
      "type": "object",
      "additionalProperties": true,
      "description": "Password policy settings.",
      "examples": [
        {
          "minLength": 8,
          "maxLength": 64,
          "blockBreached": false,
          "requireUppercase": true,
          "maxAgeDays": 90,
          "lockoutThreshold": 5
        }
      ]
    }
  }
}
Output schema
{
  "type": "object",
  "additionalProperties": true
}