NIST proposes barring some of the most nonsensical password rules - eviltoast

Here is the text of the NIST sp800-63b Digital Identity Guidelines.

  • wreckedcarzz@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    USAA does this. I renentl learned that, when I updated my password a few years back to my personal standard number of characters, everything was good until someone mentioned this fuck-up in a thread. USAA only checks the first… 16? characters. I assume it just discards anything beyond that. Other users say that it warns and doesn’t let you enter more than that during password creation, but it/my pw mgr sure didn’t care, as I have a password several fold that limit. I took out a couple characters from my ‘set’ password, and it still logged in just fine. 16, just fine. 15, error.

    Fucking wild.