Reputation: 1750
NIST guidelines for maximum password length
Concerning the NIST guidelines here: https://pages.nist.gov/800-63-3/sp800-63b.html
I have always thought maximum length password requirements are bogus. For the most part max length requirements only even remotely make sense for legacy and very old systems.
But for new ones, that all use good hash algorithms? Why not remove the maximum length recommendation altogether instead of saying there should be a limit of 64 characters? If I want to type an entire soliloquy into the password field, why complain?
Why would NIST recommend this?
Upvotes: 0
Views: 2400
Answers (1)
Reputation: 52240
I think you've misunderstood the requirement. From the doc:
5.1.1.2 Memorized Secret Verifiers
Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length.
They are saying that
- The user must supply a password of at least 8 characters.
- The system should be able to handle at least 64 characters.
They are not stating a maximum. The 8 is a minimum imposed on the user; the 64 is a minimum imposed on the system. You could allow 64,000, if you want.
Upvotes: 1
Related Questions
- Should I impose a maximum length on passwords?
- Password max length and char set policy - OWASP, dropbox, sha512, bcrypt, ASCII and unicode
- Max length of password that can be encrypted
- How can I make sure that there is no limit to how long a password can be?
- Password max length with bcrypt, blowfish
- What is the sense of permitting the user to use no passwords longer than xx chars?
- Are passwords on modern Unix/Linux systems still limited to 8 characters?
- Character/length restrictions on passwords?
- Minimum password length for maximum entropy
- Standardizing of password strength algorithm