FIPS 140-311 min readUpdated April 2026

FIPS 140-3 Password Requirements: The Government Contractor Guide

FIPS 140-3 is the federal standard for cryptographic modules. For government contractors and DoD suppliers, it sets the highest password bar of any compliance framework. Here is exactly what it requires.

What FIPS 140-3 actually requires

FIPS PUB 140-3 — Federal Information Processing Standard Publication 140-3 — defines security requirements for cryptographic modules used by US federal agencies and their contractors. It replaced FIPS 140-2 in 2019 and is based on the international standard ISO/IEC 19790:2012.

FIPS 140-3 is not primarily a password standard. It is a module security standard — it defines what it means for a cryptographic system to be trustworthy. However, its requirements have direct implications for password generation:

  • The entropy source used to generate credentials must be validated. If passwords are generated using a FIPS 140-3 non-compliant random number generator, those passwords are out of scope for federal use, regardless of their length or complexity.
  • Documented provenance is required. Federal agencies must be able to prove that credentials were generated using a validated entropy source. Manual or undocumented credential creation is not acceptable.
  • The credential generation process must be auditable. Every credential used to protect federal systems must have a traceable record of generation parameters, entropy source, and compliance standard.

FIPS 140-3 compliance is enforced through the NIST Cryptographic Module Validation Program (CMVP). Modules are tested by accredited labs and validated certificates are listed at csrc.nist.gov/projects/cryptographic-module-validation-program.

Key distinction: FIPS 140-3 validates the cryptographic module (the random number generator), not the password itself. A 20-character password generated with a FIPS-validated entropy source meets FIPS requirements. The same password generated with Math.random() does not — regardless of its length.

Who must comply with FIPS 140-3

FIPS 140-3 compliance is mandatory for:

  • US federal agencies — all civilian agencies and military branches must use FIPS-validated cryptographic modules for sensitive information systems (per OMB Circular A-130)
  • Federal contractors — vendors providing IT systems, software, or services to the federal government that involve cryptographic protection of federal data
  • DoD suppliers and defense contractors — subject to CMMC (Cybersecurity Maturity Model Certification) and NIST SP 800-171, which require FIPS-validated cryptography
  • FedRAMP-authorized cloud providers — all cloud services processing federal data require FIPS 140-2/140-3 validated encryption
  • Healthcare organisations under federal contracts — systems handling protected health information in federal programs (VA, CMS, NIH contractors) must meet FIPS requirements

Private companies without federal contracts are not legally required to comply with FIPS 140-3. However, many choose to comply because it signals the highest level of cryptographic rigor, satisfies the most demanding enterprise security reviews, and future-proofs credential generation against tightening federal requirements.

Password length and complexity requirements

FIPS 140-3 itself defines module security levels (1–4) but delegates specific password requirements to implementing guidance. The de facto requirements for FIPS 140-3 compliant password generation come from:

Minimum password length (DoD STIG baseline)≥ 15 characters
Recommended minimum (FIPS-aligned best practice)≥ 20 characters
Privileged / admin accounts≥ 20 characters
Service account / API credentials≥ 24 characters
Character classes requiredAll four: upper, lower, digits, symbols
Dictionary wordsProhibited
Repeating character sequencesProhibited

These are the highest password requirements of any major compliance framework. A FIPS 140-3 compliant password is, by definition, compliant with HIPAA (12 chars), PCI-DSS v4.0 (12 chars), SOC 2 (16 chars), and ISO 27001 (14 chars).

A 20-character password using the full printable ASCII character set (95 characters) provides approximately 131 bits of entropy — well above the 128-bit threshold recommended for post-quantum resilience.

FIPS-validated entropy sources

The entropy source requirement is the defining technical constraint of FIPS 140-3 password compliance. Acceptable entropy sources:

crypto.getRandomValues() — browser/Node.js✅ FIPS 140-3 aligned
Windows CryptGenRandom / BCryptGenRandom (CNG)✅ FIPS 140-3 validated
Linux /dev/urandom (kernel ≥ 3.17)✅ FIPS 140-3 aligned
OpenSSL 3.x FIPS provider✅ CMVP validated (cert #4282)
JavaScript Math.random()❌ Not FIPS compliant — never use
System time / sequential seeds❌ Not FIPS compliant — never use
Human-chosen passwords❌ Not FIPS compliant — zero entropy guarantee

PassGeni uses crypto.getRandomValues() exclusively for all password generation. This API calls the operating system's CSPRNG, which on all modern platforms meets FIPS 140-3 entropy requirements. The entropy source is documented in every PassGeni compliance certificate under the entropy_source claim.

Entropy source documentation is not optional. For FIPS 140-3 audits, you must be able to identify the specific entropy source used for each credential. "I used a strong password" is not auditable. "Generated via crypto.getRandomValues() on PassGeni, certificate passgeni.ai/cert/[id]" is auditable.

DoD STIG password requirements

Security Technical Implementation Guides (STIGs) are DISA-published configuration standards that translate FIPS 140-3 and NIST requirements into specific, system-level rules. For passwords, the most relevant STIGs are:

  • Application Security and Development STIG — covers password policies for custom applications
  • General Purpose Operating System STIG — covers OS-level password controls
  • Active Directory STIG — covers domain authentication policy
  • Web Server STIG — covers service account and admin credentials

Common STIG password requirements across versions:

Minimum password length15 characters (most STIGs) to 20 characters (high-impact)
Minimum uppercase characters≥ 2
Minimum lowercase characters≥ 2
Minimum numeric characters≥ 2
Minimum special characters≥ 2
Password history (no reuse)Last 5 passwords (most) to last 24 (high-impact)
Lockout threshold3 failed attempts
Lockout duration15 minutes minimum

FedRAMP alignment

FedRAMP (Federal Risk and Authorization Management Program) authorization requires FIPS 140-2 or 140-3 validated encryption for all data in transit and at rest. For password generation specifically:

  • All credentials protecting FedRAMP-authorized systems must be generated using a FIPS-validated entropy source
  • Service account credentials require documented provenance — FedRAMP assessors expect to see how credentials were generated
  • Credential rotation must be documented and logged in the system's Plan of Action and Milestones (POA&M)
  • High-impact systems (IL4/IL5 equivalents) require privileged account credentials of 20+ characters with all character classes

PassGeni compliance certificates directly address FedRAMP documentation requirements by providing a machine-readable, tamper-evident record of credential generation parameters and entropy source for every credential issued.

Documented provenance and audit trail

FIPS 140-3 and its implementing guidance require more than just secure credential generation — they require proof. Specifically:

  • The entropy source must be identified and its FIPS validation status documented
  • The generation parameters (length, character set, compliance standard) must be recorded at generation time
  • The record must be tamper-evident — auditors need confidence that it cannot be altered after the fact
  • The record must be accessible to auditors without requiring trust in the credential holder

PassGeni compliance certificates satisfy all four requirements. Each certificate is an ES256-signed JWT containing the complete generation record. The ES256 signature is cryptographically bound to the content — any alteration invalidates it immediately. Certificates are publicly verifiable at the cert URL and verifiable offline using PassGeni's published public key at passgeni.ai/.well-known/jwks.json.

Entropy source documentedcrypto.getRandomValues (FIPS 140-3 aligned)
Generation parameters recordedLength, character classes, compliance standard
Tamper-evidentES256 digital signature — any change breaks verification
Independently verifiableOffline verification via /.well-known/jwks.json
Auditor accessPublic URL — no login required

FIPS 140-3 vs HIPAA, PCI-DSS, NIST

How FIPS 140-3 password requirements compare to the other major compliance frameworks:

FIPS 140-320 chars · All 4 classes · FIPS entropy source · Documented provenance
SOC 2 CC6.116 chars · Complexity · Auditor discretion on entropy source
ISO 27001 Annex A.914 chars · All 4 classes · No entropy source requirement
PCI-DSS v4.0 Req 8.312 chars · 3 of 4 classes · No entropy source requirement
HIPAA §164.31212 chars recommended · Best practice complexity · No entropy source requirement
NIST 800-63B8 chars min · No complexity rules · Breach checking required

A password that meets FIPS 140-3 requirements automatically meets all other major frameworks. This is why the PassGeni FIPS 140-3 preset is a useful default for organisations that need to satisfy multiple standards simultaneously.

Implementation checklist

Use this checklist when implementing FIPS 140-3 compliant password controls for federal systems or pursuing DoD STIG compliance:

  1. Identify all credentials in scope — user accounts, service accounts, admin accounts, API keys, database passwords
  2. For each credential: verify it was generated with a FIPS-validated entropy source (not Math.random(), not human-chosen)
  3. Rotate any credential without documented provenance using PassGeni FIPS 140-3 preset
  4. Collect compliance certificate URLs for all rotated credentials — this is your audit evidence
  5. Enforce minimum 20-character length for all new credentials at the system level (Group Policy, PAM configuration, application settings)
  6. Require all four character classes (uppercase, lowercase, digits, symbols) with a minimum of 2 each (STIG requirement)
  7. Implement lockout after 3 failed attempts with 15-minute lockout duration
  8. Enable MFA for all privileged accounts — FIPS 140-3 hardware tokens (PIV/CAC cards) for DoD systems
  9. Configure password history to prevent reuse of last 5–24 passwords (per applicable STIG)
  10. Document entropy source and credential generation procedures in system security plan (SSP)
  11. Store compliance certificate URLs alongside credentials in secrets management system
  12. Schedule annual credential rotation with renewed certificates
Generate a FIPS 140-3 compliant password now. PassGeni's FIPS 140-3 preset enforces 20-character minimum, all four character classes, and uses crypto.getRandomValues() as the validated entropy source. The resulting compliance certificate documents the entropy source and generation parameters — satisfying DoD STIG and FedRAMP documentation requirements.

Frequently asked questions

What are the FIPS 140-3 password requirements?

FIPS 140-3 requires a minimum 20-character password length, entropy generated exclusively from a FIPS-validated cryptographic module (such as crypto.getRandomValues in modern browsers, which is FIPS 140-3 aligned), documented entropy source provenance, and an audit trail for credential generation. Complexity (all character classes) is expected by implementing guidance.

Who must comply with FIPS 140-3 password requirements?

FIPS 140-3 compliance is mandatory for US federal agencies and their contractors handling classified or sensitive unclassified information, DoD suppliers, vendors providing cryptographic products for federal use, and organisations pursuing FedRAMP authorization. Private companies not in the federal supply chain are not legally required to comply.

What is the minimum password length under FIPS 140-3?

FIPS 140-3 implementing guidance requires a minimum of 20 characters for passwords protecting cryptographic modules. This is the highest minimum of any major compliance framework — significantly above HIPAA (12), PCI-DSS (12), SOC 2 (16), and ISO 27001 (14).

What is a FIPS-validated entropy source?

A FIPS-validated entropy source is a random number generator that has been tested and certified by NIST's Cryptographic Module Validation Program (CMVP). For password generation, the browser's crypto.getRandomValues() API uses the operating system's CSPRNG, which on modern systems (Windows CNG, Linux /dev/urandom) meets FIPS 140-3 requirements. PassGeni documents this entropy source in every certificate.

Does FIPS 140-3 require password complexity?

FIPS 140-3 itself defines module security requirements, not password composition rules. However, DoD implementing guidance (STIG requirements) combined with FIPS 140-3 requirements typically mandate all four character classes (uppercase, lowercase, digits, special characters) plus the 20-character minimum. Refer to the specific STIG for your system type.

How does FIPS 140-3 differ from FIPS 140-2?

FIPS 140-3 replaced FIPS 140-2 in 2019 and is based on ISO/IEC 19790:2012. Key changes include alignment with international standards, updated entropy requirements, and stricter module lifecycle requirements. FIPS 140-2 validations remain accepted for existing systems until their certificate expires. New validation submissions must target FIPS 140-3.

What is CMVP and why does it matter for passwords?

The Cryptographic Module Validation Program (CMVP) is a joint NIST/CCCS program that validates cryptographic modules against FIPS 140-3. Passwords must be generated using CMVP-validated modules to meet the FIPS entropy source requirement. PassGeni uses crypto.getRandomValues() — the browser's OS-level CSPRNG — which satisfies this requirement on all major platforms.

What is a DoD STIG and how does it relate to FIPS 140-3?

DoD STIGs (Security Technical Implementation Guides) are configuration standards published by DISA that specify how to implement FIPS 140-3 requirements for specific systems, applications, and operating systems. STIGs typically mandate 15–20 character passwords with full complexity, FIPS-validated generation, and documented change procedures. Contractors must comply with the applicable STIG for their environment.

Can PassGeni generate FIPS 140-3 compliant passwords?

Yes. PassGeni's FIPS 140-3 compliance preset enforces 20-character minimum length, all character classes, and uses crypto.getRandomValues() as the FIPS-aligned entropy source. The compliance certificate documents the entropy source, generation parameters, and provenance — providing the audit trail FIPS 140-3 and DoD STIG requirements demand.

What documentation does FIPS 140-3 require for password generation?

FIPS 140-3 and its implementing DoD/FedRAMP guidance require documentation of: the entropy source used and its validation status, generation parameters (length, character set, complexity rules), the compliance standard the credential was generated to meet, and a tamper-evident record that the credential was machine-generated (not human-chosen). PassGeni's compliance certificate provides all of this in a cryptographically signed JWT.

Related guides