Here is the text of the NIST sp800-63b Digital Identity Guidelines.

  • @subtext
    link
    English
    32 months ago

    unless you’re sending megabytes of text or something

    That’s exactly what someone malicious would do though, either in a single password submission or DOS via the password maximum repeatedly. IMO there is no functional security difference between a 64 and a 256 character password, so the NIST 64 character max is reasonable.