Here is the text of the NIST sp800-63b Digital Identity Guidelines.

  • Echo Dot
    link
    fedilink
    English
    23 months ago

    The only justifiable reason I can see to have a length limit is because longer passwords would take more time to process and they don’t want to deal with that.

    Although it would only be on the order of a couple of extra microseconds and I’m not sure how much difference it would really make. But even on cyber security forums the max password length is 64 characters.

    • @[email protected]
      link
      fedilink
      English
      23 months ago

      But it really doesn’t, unless you’re sending megabytes of text or something. Industry standard password algorithms run the hash a lot of times, and your entry will only impact the first iteration.

      I usually set mine to 256 characters to prevent DOS attacks, and also so I don’t need to update it ever. Most of my passwords are actually around 20-30 characters in length (I pick a random length in the slider on my password manager), because I don’t want to be there all day if I ever need to manually enter it (looking at you stupid smart TV…).

      • @subtext
        link
        English
        33 months ago

        unless you’re sending megabytes of text or something

        That’s exactly what someone malicious would do though, either in a single password submission or DOS via the password maximum repeatedly. IMO there is no functional security difference between a 64 and a 256 character password, so the NIST 64 character max is reasonable.