--- title: Support 12-64 Character Passwords impact: MEDIUM impactDescription: promotes the use of secure passphrases over complex but short passwords tags: password, length, passphrase, security, php --- ## Support 12-64 Character Passwords Modern security standards (NIST) prioritize longer passwords (passphrases) over short passwords with complex character requirements. Do not impose overly restrictive maximum length limits (like 16 or 20 characters), as this prevents users from using secure passphrases or generated secrets. **Incorrect (too restrictive or too short):** ```php // Insecure: minimum length is too short $request->validate(['password' => 'min:6']); // Restrictive: prevents long secure passphrases $request->validate(['password' => 'min:8|max:16']); ``` **Correct (promoting secure passphrases):** ```php // 1. Recommended Validation (Laravel) $request->validate([ 'password' => [ 'required', 'string', 'min:12', // Minimum 12 characters recommended 'max:64', // Support at least 64+ characters ] ]); // 2. Using Complexity only for shorter passwords (NIST principle) use Illuminate\Validation\Rules\Password; $request->validate([ 'password' => [ 'required', Password::min(12) ->letters() ->numbers() ->symbols() ->uncompromised(), // Checks against HaveIBeenPwned API ] ]); ``` **Security Guidelines:** - **Minimum 8 characters** (Internal use) or **12+ characters** (Public internet). - **Maximum 64-128 characters** should be supported. - **Do not use "complexity"** (Must include special chars) as a hard requirement if the password is long (e.g., > 16 characters). - **Allow all characters**, including spaces and Unicode. **Why 64 characters?** Many hashing algorithms (like BCRYPT) have an internal limit around 72 characters. Support for 64-128 characters is usually sufficient for nearly all users and password managers. **Tools:** Laravel `Rules\Password`, OWASP Password Policy, Zxcvbn (password strength estimator)