Here is the text of the NIST sp800-63b Digital Identity Guidelines.

  • frezik@midwest.social
    link
    fedilink
    English
    arrow-up
    5
    ·
    2 months ago

    It matters for bcrypt/scrypt. They have a 72 byte limit. Not characters, bytes.

    That said, I also think it doesn’t matter much. Reasonable length passphrases that could be covered by the old Latin-1 charset can easily fit in that. If you’re talking about KJC languages, then each character is actually a whole word, and you’re packing a lot of entropy into one character. 72 bytes is already beyond what’s needed for security; it’s diminishing returns at that point.