Here is the text of the NIST sp800-63b Digital Identity Guidelines.

  • AliasVortex@lemmy.world
    link
    fedilink
    English
    arrow-up
    24
    ·
    edit-2
    1 month ago

    I don’t know about a min length; setting a lenient lower bound means that any passwords in that space are going to be absolutely brute force-able (and because humans are lazy, there are almost certainly be passwords clustered around the minimum).

    I very much agree with the rest though, it’s unnerving when sites have a low max length. It almost feels like advertising that passwords aren’t being hashed, and if that’s the case there’s a snowball’s chance in hell that they’re also salted. Really restrictive character sets also tell me that said site / company either has super old infra or doesn’t know how to sanitize strings (or entirely likely both)…