@LukaszOlejnik I still don't get why they should limit the password length.

@delegatevoid @LukaszOlejnik Upper limits on passphrase length are mostly about closing a possible resource exhaustion vector on the authenticating system. If you hash it all down to 64 bytes, there’s no point dealing with passphrases longer than 128 characters. Further characters don’t add any further entropy, but if you have no upper bound, some knucklehead is going to make your server hash the entirety of War and Peace over and over.

@bob_zim @LukaszOlejnik Ah yes, that does make sense. Still I would have liked them to put the maximum length at 128. The minimum length should be long enough so no human can possibly remember it (to discourage them from doing exactly that, and to force them to use a password manager) and the maximum has to make sense like you explained.

@dmaonR @bob_zim @LukaszOlejnik I have over 500 accounts in different systems, I don't remember a single one of them. Password managers work great for any system that requires a password, I don't see why it would only work for websites. What you are probably saying is that you use browsers plugins which help you fill in usernames/passwords in web browsers. And some password managers can also input data into other apps. (Acting as a keyboard or using the copy/paste buffer automatically)

@delegatevoid
These NIST standards are for password authentication. Everything from websites (your use case) to things that require a keyboard and VGA. You are making the argument that everything should use a hardware token. A different set of NIST standards. A different set of risks. Password managers have another set of risks. Okta was compromised via a password manager. Passwords are bad, but you fundamentally misunderstand the scope of the problem.