Here is the text of the NIST sp800-63b Digital Identity Guidelines.

    • dual_sport_dork 🐧🗡️
      link
      English
      253 months ago

      Characters are characters. The system I just wrote will accept anything, because the first thing I do with it is hash it. If you want to make your password:

      ░▒▓█ ʥ۞ݔݯݲݸݴݺ '; drop table users; 🤣💩ʩ █▓▒░

      Then go for it. More power to you for typing that out or, more likely, letting your password manager remember it. Make your password as entropic as you can manage, I don’t care how you arrive there.

      • @[email protected]
        link
        fedilink
        English
        163 months ago

        Yup. All I care is that your password isn’t the entire works of Shakespeare or something like that. A couple hundred characters/bytes? You do you.

        What really bothers me is when a website says something like: must have a special character, except these ones (proceeds to list everything except @ and !). And then the next one has the same rule, but different exceptions.

        Passwords should be treated as a black box, just read it as bytes and throw it into the hash algorithm. You want to somehow enter a nyan cat? Be my guest, no guarantee the input box will accept it though.

        • Corhen
          link
          English
          123 months ago

          also: “password is too long, max password length is 12 digits”

          Why… like, sure, cap it at 256 or something reasonable. but ive run into as low as 9 digits.

          • @[email protected]
            link
            fedilink
            English
            10
            edit-2
            3 months ago

            One of the four major banks in Australia used to (or maybe still does?) limit passwords to 6 characters. No more, no less. Exactly 6. They’re case insensitive, too.

            One of the other banks used to silently truncate passwords (to 12 characters if I remember correctly). They removed the truncation one day, and there were so many issues because people who had passwords longer than 12 characters couldn’t log in unless they knew to only enter the first 12 characters of it. It was a mess. Their phone support had a recorded message saying to only enter the first 12 characters if you have trouble logging in.

          • @Sneezydinosaur
            link
            English
            73 months ago

            I had a simulator for school truncate after like 13 characters. And nowhere on their page did it specify a character limit. Would still accept an input of like 64 characters though. Got locked out of that account many times.

            • @Hazor
              link
              English
              73 months ago

              I’ve run into similar: on the account creation page there was no character limit on the input box nor stated in the password requirements, but on the login page the password input box was limited to 14 characters. So you could successfully create an account with a long password, you just couldn’t log in because it wouldn’t let you enter the whole password.

      • @[email protected]
        link
        fedilink
        English
        43 months ago

        Haha, and I smiled when I looking for the single quote in your password and sure it is there👍👍

    • @datelmd5sum
      link
      English
      93 months ago

      my password is just 20 gigabytes of poop emojis.

      • @[email protected]
        link
        fedilink
        English
        43 months ago

        Yeah, multiple languages or even putting an ê or something in an English password to mix things up. It makes perfect sense to allow.

        It’s a good thing they require each codepoint to be treated as one character for the length limit, since “🤔🤣” is 8 bytes on its own, but the unicode prefix is trivial to guess.

    • noughtnaut
      link
      English
      33 months ago

      Emoji passwords made me think of the Lotus Notes password prompt with their little images that changed as I typed (which never really made sense to me).

      Yes, I’m old…