Here is the text of the NIST sp800-63b Digital Identity Guidelines.

  • dan@upvote.au
    link
    fedilink
    English
    arrow-up
    9
    ·
    edit-2
    3 months ago

    One of the four major banks in Australia used to (or maybe still does?) limit passwords to 6 characters. No more, no less. Exactly 6. They’re case insensitive, too.

    One of the other banks used to silently truncate passwords (to 12 characters if I remember correctly). They removed the truncation one day, and there were so many issues because people who had passwords longer than 12 characters couldn’t log in unless they knew to only enter the first 12 characters of it. It was a mess. Their phone support had a recorded message saying to only enter the first 12 characters if you have trouble logging in.