security - NIST guidelines for maximum password length -

concerning nist guidelines here: https://pages.nist.gov/800-63-3/sp800-63b.html

i have thought maximum length password requirements bogus. part max length requirements remotely make sense legacy , old systems.

but new ones, use hash algorithms? why not remove maximum length recommendation altogether instead of saying there should limit of 64 characters? if want type entire soliloquy password field, why complain?

why nist recommend this?

i think you've misunderstood requirement. doc:

5.1.1.2 memorized secret verifiers

verifiers shall require subscriber-chosen memorized secrets @ least 8 characters in length. verifiers should permit subscriber-chosen memorized secrets at least 64 characters in length.

they saying that

• the user must supply password of @ least 8 characters.
• the system should able handle @ least 64 characters.

they not stating maximum. 8 minimum imposed on user; 64 minimum imposed on system. allow 64,000, if want.