Closed sohsatoh closed 2 months ago
I like consider and a max of 128 and support at less up to 64
NIST has stated the following in 800-63B.
Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length.
Allow at least 64 characters in length to support the use of passphrases.
Therefore, I agree that the maximum character length should be "at least 64 characters".
However, I believe that how many characters is appropriate as the upper limit is a controversial issue. This should be based on some criteria, and I think there is still room for debate.
Why have an upper limit at all?
It's not an upper limit. It's a least upper bound.
-kevin
On Wed, Apr 10, 2024, 10:57 AM Shlomo Zalman Heigh @.***> wrote:
Why have an upper limit at all?
— Reply to this email directly, view it on GitHub https://github.com/OWASP/CheatSheetSeries/issues/1376#issuecomment-2047784453, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAO6PG7FHLN6HYMAEE5PSGDY4VHMFAVCNFSM6AAAAABGAJTSL2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBXG44DINBVGM . You are receiving this because you are subscribed to this thread.Message ID: @.***>
So maybe it should be worded something like, "A maximum length is not recommended. However, if one is needed, it should not be lower than __ chars".
Sounds good. I support a minimum of 64 characters as specified by NIST.
Like,
The maximum length of the password should be specified as 64 characters or more, as per the NIST guidelines.
(I am not a native English speaker, so there may be grammatical errors though.)
I will create a pull request after the discussion is concluded.
Edit: I totally had forgotten about ASVS. It stated as Verify that passwords of at least 64 characters are permitted, and that passwords of more than 128 characters are denied.
However, I don't think 128
is based on any criteria.
I suggested this at ASVS 5.0:
Verify that passwords of at least 64 characters are permitted and that passwords above a certain max length (such as 128 or more characters) are denied.
What is missing or needs to be updated?
In this cheat sheet, The following statements are present.
This statements has the following problems.
DoS caused by character length is not a password requirement issue, but an implementation issue. Also, there seems to be no concrete basis for a 64-character length in the modern era.
How should this be resolved?
Remove the statement about DoS, or remove the statement about the specific number of characters that cause a DoS.
(Or it is also possible to lower the tone of the places where it says "important" and describe it at a level of "consider" instead)