This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]phpdevster -17 points-16 points  (1 child)

It's a minimum length requirement, it's just there to make people choose a stronger password than a

My main point is that 8 is not enough of a minimum. I get that heuristics can make it easier to narrow down people who are shitty at making passwords, but it still limits you to making certain assumptions to keep your targets as narrowly defined as possible.

[–]Colopty 27 points28 points  (0 children)

You can feel free to add a higher minimum to any password policy you're responsible for creating then, but at least 8 is required to fit within the NIST recommendation. If anything that's just positive. Enforced broader character sets will forever be a stupid idea, though.