Comment on NIST proposes barring some of the most nonsensical password rules
AliasVortex@lemmy.world 1 month agoI don’t know about a min length; setting a lenient lower bound means that any passwords in that space are going to be absolutely brutal force-able (and because humans are lazy, there are almost certainly be passwords clustered around the minimum).
I very much agree with the rest though, it’s unnerving when sites have a low max length. It almost feels like advertising that passwords aren’t being hashed and if that’s the case there’s a snowball’s chance in hell that they’re also salted. Really restrictive character sets also tell me that said site / company either has super old infra or doesn’t know how to sanitize strings (or entirely likely both)…
echodot@feddit.uk 1 month ago
The only justifiable reason I can see to have a length limit is because longer passwords would take more time to process and they don’t want to deal with that.
Although it would only be on the order of a couple of extra microseconds and I’m not sure how much difference it would really make. But even on cyber security forums the max password length is 64 characters.
sugar_in_your_tea@sh.itjust.works 1 month ago
But it really doesn’t, unless you’re sending megabytes of text or something. Industry standard password algorithms run the hash a lot of times, and your entry will only impact the first iteration.
I usually set mine to 256 characters to prevent DOS attacks, and also so I don’t need to update it ever. Most of my passwords are actually around 20-30 characters in length (I pick a random length in the slider on my password manager), because I don’t want to be there all day if I ever need to manually enter it (looking at you stupid smart TV…).
subtext@lemmy.world 1 month ago
That’s exactly what someone malicious would do though, either in a single password submission or DOS via the password maximum repeatedly. IMO there is no functional security difference between a 64 and a 256 character password, so the NIST 64 character max is reasonable.