Password Strength Controls

[4meta5]

• Minimum length of the passwords should be enforced by the application. Many security researchers suggest at least 12–16 characters.
• Maximum password length should not be set too low, as it will prevent users from creating passphrases. A common maximum length is 64 characters due to limitations in certain hashing algorithms.
• Allow usage of all characters including unicode and whitespace. There should be no password composition rules limiting the type of characters permitted.
• Ensure credential rotation when a password leak or data breach is identified.
• Include a password strength meter to help users create a more complex password and block common and previously breached passwords.

[4meta5]

• implement weak‑password checks, such as testing new or changed passwords against a list of the top 10,000 worst passwords.
• Align password length, complexity, and rotation policies with NIST 800-63 B’s guidelines in section 5.1.1 for Memorized Secrets or other modern, evidence‑based password policies.