in generally, we have to comply to this document
in detail, for passwords (i paste here what, at the moment, we should do in a custom way):
- Verify that passwords of at least 64 characters are permitted, and that passwords of more than 128 characters are denied. (C6)
- Verify that password truncation is not performed. However, consecutive multiple spaces may be replaced by a single space. (C6)
- Verify that passwords submitted during account registration, login, and password change are checked against a set of breached passwords either locally (such as the top 1,000 or 10,000 most common passwords which match the system's password policy) or using an external API. If using an API a zero knowledge proof or other mechanism should be used to ensure that the plain text password is not sent or used in verifying the breach status of the password. If the password is breached, the application must require the user to set a new non-breached password. (C6)