Please drop PASSWORD, and certainly the length checks.
Instead send a SMS to a GSM device that is associated wit the name, and demand that this code is reproduced to authenticate.
You can also use fingerprint to confirm repeatedly on the same device ad not always demand confirmation by the mobile device.
But drop passwords completely.
Google and Apple and numerous password wallet services knows them better than most of us. Make a new site, and they offer passwords for free,well "encrypted", but it takes seconds to break that encryption, so hackers can easily get everybody's password. It take just as long time for 33 character as for 3.
You can confirm HLR (CIC) and MSISDN easily, "phone number" is not enough, it must be an MSISDN with a SIM. Verizon is can solve that.
@DoctorG SMS is core service, and mil.spec. High Security, Orange Book. It is IMPOSSIBLE to intercept, IMPOSSIBLE to duplicate. It has been tried for decades and nobody has achieved anything more than to take the entire network down, like in Russia.
This is what the US DoD does not want, it is also impossible for the US CIA, NAS and FBI. So they have spread lies, and tries to move the service to become an Internet Service.
This is the GSM core service. and is only available on all mobile phones, except for Verizon. I will talk to them, and explain that they can not deliver this. Their CDMA network is not secure. GSM was designed to comply to US as a NATO country.
mib2berlin Soprano
@Knuthf
Hi, SMS is not secure at all, just search a bit for the latest articles from 2024, there are many.