Comment on NIST proposes barring some of the most nonsensical password rules
cybersandwich@lemmy.world 1 month agoI think if you do allow 8 character passwords the only stipulation is that you check it against known compromised password lists. Again, pretty reasonable.
lvxferre@mander.xyz 1 month ago
That stipulation goes rather close to #5, even not being a composition rule.
I think that a better approach is to follow the recommended min length (15 chars), unless there are good reasons to lower it and you’re reasonably sure that your delay between failed password attempts works flawlessly.