Just take the string as bytes and hash it ffs

  • rekabis@lemmy.ca
    link
    fedilink
    English
    arrow-up
    10
    ·
    edit-2
    3 months ago

    16 characters was the minimum length a password should be due to how easy it was to crack… something like a decade ago.

    Now it’s something like 20 to 24 characters.

    Seriously, if your company is defining maximum password length and demanding specific content, it is failing at the security game. Have the storage location accept a hashed UTF-8 string of at least 4096 bytes - or nvarchar(max) if it’s a database field - and do a bitwise complexity calculation on the raw password as your only “minimum value” requirement.

    Look at how KeePass calculates password complexity, and replicate that for whatever interface you are using. Ensure that it is reasonable, such as 150-200bit complexity, and let users choose whatever they want to achieve that complexity.