---
title: Support 12-64 Character Passwords
impact: MEDIUM
impactDescription: enables secure passphrase usage and improves account security
tags: password, length, passphrase, security, kotlin
---

## Support 12-64 Character Passwords

Longer passwords (passphrases) are significantly harder to crack than short, complex ones. Restricting password length to small values (like 16 characters) prevents users from choosing highly secure passphrases.

**Incorrect (too restrictive limits):**

```kotlin
data class UserRegistration(
    @get:Size(min = 8, max = 16) val password: String // Too short!
)
```

**Correct (reasonable limits following modern standards):**

```kotlin
data class UserRegistration(
    @get:NotBlank
    @get:Size(min = 12, max = 64, message = "Password must be 12-64 characters")
    val password: String
)

// Dynamic complexity requirements
fun isPasswordSecure(password: String): Boolean {
    // Basic length check
    if (password.length !in 12..64) return false
    
    // NIST: Long passphrases (16+) don't need arbitrary complexity rules
    if (password.length >= 16) return true
    
    // Shorter passwords (12-15) should have complexity
    val hasUpper = password.any { it.isUpperCase() }
    val hasLower = password.any { it.isLowerCase() }
    val hasDigit = password.any { it.isDigit() }
    
    return hasUpper && hasLower && hasDigit
}
```

**Modern Password Guidelines:**
- **Minimum:** 12 characters (absolute minimum 8).
- **Maximum:** At least 64 characters (allow up to 128 if possible).
- **Composition:** Allow all characters, including spaces and Unicode.
- **Truncation:** Never truncate passwords before hashing.

**Tools:** Bean Validation (@Size), Manual Review, OWASP Password Policy
