---
title: Support 12-64 Character Passwords
impact: MEDIUM
impactDescription: enables secure passphrase usage
tags: password, length, passphrase, security
---

## Support 12-64 Character Passwords

Long passwords/passphrases are more secure than complex short ones. Don't impose restrictive limits that prevent users from using passphrases.

**Incorrect (restrictive limits):**

```go
// Too restrictive max length
if len(password) < 8 || len(password) > 16 {
    return errors.New("password must be 8-16 characters")
}
```

**Correct (reasonable limits):**

```go
func ValidatePassword(password string) error {
    length := utf8.RuneCountInString(password)
    
    if length < 12 {
        return errors.New("password too short (min 12)")
    }
    
    if length > 64 {
        return errors.New("password too long (max 64)")
    }
    
    // For long passwords (e.g., 20+), complexity rules can be relaxed
    if length < 20 {
        // check for symbols, numbers, etc.
    }
    
    return nil
}
```

**NIST Guidelines:**
- Minimum 8-12+ characters.
- Maximum 64+ characters.
- Allow space and all printable Unicode characters.

**Tools:** Password Policy logic, Manual Review
