Hi, I created the dumb password rules repository. Thanks for linking to it.
Most PRs that have been submitted have been concerned with maximum lengths like 8, 12, 16 characters or some unreasonably low number. I agree with your post that there needs to be some sufficiently high upper bound on password length. It just shouldn’t be as ridiculously low as many have it.
I have some additions to that list I need to submit based off of the research I did while working on this post. I had a look at Australian banks and their low password length limits. It's interesting looking at all of the (potential) decisions that were made in the past that led to the current state and why none of these were terrible decisions at the time.
I will happily review an PRs. I'm looking forward to your submissions.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.