this post was submitted on 26 Sep 2024
549 points (99.3% liked)

Technology

59627 readers
2807 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
L3s@fry.gs
L4s@fry.gs
L4s@lemmy.world
enu@lemmy.world
549
NIST proposes barring some of the most nonsensical password rules (arstechnica.com)
submitted 2 months ago by Amicitas@lemmy.world to c/technology@lemmy.world
179 comments fedilink hide all child comments
 

Here is the text of the NIST sp800-63b Digital Identity Guidelines.

you are viewing a single comment's thread
view the rest of the comments
[–] cmnybo@discuss.tchncs.de 20 points 2 months ago (14 children)

Any password length (within reason) and any character should be allowed. It's going to be hashed and only the hash will be stored right? Length and character limits make me suspect it's being stored in plain text.

[–] frezik@midwest.social 12 points 2 months ago (1 children)

Rules here are 64 as a reasonable maximum. A lot of programmers don't realize that bcrypt and scrypt max at 72 bytes (which may or may not be the same as 72 characters). You can get around it by prehashing, but meh. This is long enough even for a reasonable passphrase scheme.

[–] daddy32@lemmy.world 6 points 2 months ago

Minor note: 64 unicode characters is potentially much more than 72 bytes.

load more comments (12 replies)