Update password length recommendation?

[hepabolu]

Two common recommendations you hear are 8 characters containing a mix of upper and lower case letters, digits, and symbols, or 12 characters with the same composition. These evaluate to approximately 52 bits of entropy and 78 bits of entropy respectively.

I wonder if this should be worded differently as 8 and maybe even 12 characters might be too short currently (Oct 2024). Using it to explain the entropy is of course correct.

[podfeet]

Can I assume you're quoting from the user documentation here?
https://userguide.xkpasswd.net/#/the-maths?id=the-entropy-of-xkpasswd-passwords

What's annoying is that NIST just published their password rules and they said 8 characters. I like where you're going though.

@bbusschots - what do you think?

[bbusschots]

This section needs a substantial re-write, but that re-write doesn't make sense until we also do a much-needed review of the default presets in the JavaScript implementation.

I've created an issue there for the review: bartificer/xkpasswd-js#111