Here is the text of the NIST sp800-63b Digital Identity Guidelines.

  • sugar_in_your_tea@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 month ago

    I usually do 256 characters. That’s long enough that most password managers top out anyway (mine tops out at 128), and it shouldn’t ever present a DOS risk. Anything much beyond that and you’ll go beyond the hash length.