Here is the text of the NIST sp800-63b Digital Identity Guidelines.

  • subtext@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    3 months ago

    unless you’re sending megabytes of text or something

    That’s exactly what someone malicious would do though, either in a single password submission or DOS via the password maximum repeatedly. IMO there is no functional security difference between a 64 and a 256 character password, so the NIST 64 character max is reasonable.