NIST proposes barring some of the most nonsensical password rules - eviltoast

Here is the text of the NIST sp800-63b Digital Identity Guidelines.

  • Echo Dot@feddit.uk
    link
    fedilink
    English
    arrow-up
    2
    ·
    2 months ago

    The only justifiable reason I can see to have a length limit is because longer passwords would take more time to process and they don’t want to deal with that.

    Although it would only be on the order of a couple of extra microseconds and I’m not sure how much difference it would really make. But even on cyber security forums the max password length is 64 characters.

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      But it really doesn’t, unless you’re sending megabytes of text or something. Industry standard password algorithms run the hash a lot of times, and your entry will only impact the first iteration.

      I usually set mine to 256 characters to prevent DOS attacks, and also so I don’t need to update it ever. Most of my passwords are actually around 20-30 characters in length (I pick a random length in the slider on my password manager), because I don’t want to be there all day if I ever need to manually enter it (looking at you stupid smart TV…).

      • subtext@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        2 months ago

        unless you’re sending megabytes of text or something

        That’s exactly what someone malicious would do though, either in a single password submission or DOS via the password maximum repeatedly. IMO there is no functional security difference between a 64 and a 256 character password, so the NIST 64 character max is reasonable.