543
NIST proposes barring some of the most nonsensical password rules (arstechnica.com)
submitted 3 days ago by Amicitas@lemmy.world to c/technology@lemmy.world
179 comments fedilink hide all child comments

Here is the text of the NIST sp800-63b Digital Identity Guidelines.

you are viewing a single comment's thread
view the rest of the comments
[-] echodot@feddit.uk 2 points 3 days ago

The only justifiable reason I can see to have a length limit is because longer passwords would take more time to process and they don't want to deal with that.

Although it would only be on the order of a couple of extra microseconds and I'm not sure how much difference it would really make. But even on cyber security forums the max password length is 64 characters.

[-] sugar_in_your_tea@sh.itjust.works 2 points 3 days ago

But it really doesn't, unless you're sending megabytes of text or something. Industry standard password algorithms run the hash a lot of times, and your entry will only impact the first iteration.

I usually set mine to 256 characters to prevent DOS attacks, and also so I don't need to update it ever. Most of my passwords are actually around 20-30 characters in length (I pick a random length in the slider on my password manager), because I don't want to be there all day if I ever need to manually enter it (looking at you stupid smart TV...).

[-] subtext@lemmy.world 3 points 2 days ago

unless you're sending megabytes of text or something

That’s exactly what someone malicious would do though, either in a single password submission or DOS via the password maximum repeatedly. IMO there is no functional security difference between a 64 and a 256 character password, so the NIST 64 character max is reasonable.

this post was submitted on 26 Sep 2024
543 points (99.3% liked)

Technology

58302 readers
3195 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world