Small rant incomming. I just went to look at applying to Walmart, and when going to make an account their password requirements were 8-11 characters. What kinda nonsense is that? Some terribly made backend I’d assume. It’s bad enough I gotta make a million accounts when applying to jobs but then you got my PII sitting behind such terrible password requirements it makes me wonder where else they are cutting corners on security.
Why stop there? 128 or 256 sound much nicer. Actually, while you’re at it, 4096 should be enough to fit a short story.
There are use cases where long passwords could be problematic. 64 would be long enough for most purposes, but short enough not to cause issues for things like microcontrollers.
It should be paired with a strongly recommended larger value, however.
The new NIST recommendations give a recommendation of at least a 64 character maximum.
https://pages.nist.gov/800-63-4/sp800-63b.html#passwordver