Here is the text of the NIST sp800-63b Digital Identity Guidelines.

  • @[email protected]
    link
    fedilink
    English
    122 months ago

    Rules here are 64 as a reasonable maximum. A lot of programmers don’t realize that bcrypt and scrypt max at 72 bytes (which may or may not be the same as 72 characters). You can get around it by prehashing, but meh. This is long enough even for a reasonable passphrase scheme.