Support at least 64 characters maximum length including all ASCII characters within password.
Minimum characters: 8 when set by a human and 6 whencreated by a system.
NIST or National Institute of Standards and Technology has established itself as a authority figure for best practices on security and securing identities, password protection, and much more.
While developing new systems web application security is essential.
Brief summary overview of 800-63 guidelines in a checklist. If you want to read the full guidelines NIST Special Publication 800-63 guidelines for 2019
Support at least 64 characters maximum length including all ASCII characters within password.
Minimum characters: 8 when set by a human and 6 whencreated by a system.
Avoid password hints and knowledge-based authentication like your first dog.
Avoid password expiration period
Allow a minimum of 10 password attempts before lockout
No SMS for 2FA (two factor authenticator)
Consider using an app like Google Authenticator.
Check password against known password dictionaries.
NIST has played a large part in planning the CMMC compliance.