Here is the text of the NIST sp800-63b Digital Identity Guidelines.

  • @[email protected]
    link
    fedilink
    English
    42 months ago

    Then you’re vulnerable to simple brute force attacks, which if paired with a dumped hash table, can severely cut the time it takes to solve the hash and reveal all passwords.

    • @[email protected]
      link
      fedilink
      English
      72 months ago

      By any length I meant no maximum length. Obviously you don’t want to use a super short password.

      • @[email protected]
        link
        fedilink
        English
        42 months ago

        Some kind of upper bound is usually sensible. You can open a potential DoS vector by accepting anything. The 72 byte bcrypt/scrypt limit is generally sensible, but going for 255 would be fine. There’s very little security to be gained at those lengths.

        • @[email protected]
          link
          fedilink
          English
          12 months ago

          I do 256 so I hopefully never need to update it, but most of my passwords are 20-30 characters or something, and generated by my password manager. I don’t care if you choose to write a poem or enter a ton of unicode, I just need a bunch of bytes to hash.