NIST guidelines for maximum password length

Question

Concerning the NIST guidelines here: https://pages.nist.gov/800-63-3/sp800-63b.html

I have always thought maximum length password requirements are bogus. For the most part max length requirements only even remotely make sense for legacy and very old systems.

But for new ones, that all use good hash algorithms? Why not remove the maximum length recommendation altogether instead of saying there should be a limit of 64 characters? If I want to type an entire soliloquy into the password field, why complain?

Why would NIST recommend this?

score 1 · Answer 1 · edited Jun 20 '20 at 09:12

1

I think you've misunderstood the requirement. From the doc:

5.1.1.2 Memorized Secret Verifiers

Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length.

They are saying that

The user must supply a password of at least 8 characters.
The system should be able to handle at least 64 characters.

They are not stating a maximum. The 8 is a minimum imposed on the user; the 64 is a minimum imposed on the system. You could allow 64,000, if you want.

edited Jun 20 '20 at 09:12

Community

1
1

answered Aug 14 '17 at 21:09

John Wu

50,556
8
44
80

It would seem NIST recommends max 64 chars now, as does OWASP https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#password-managers https://www.auditboard.com/blog/nist-password-guidelines/ – U4EA Jul 02 '22 at 13:46

NIST guidelines for maximum password length

1 Answers1