We are being told by our audit department that there is a bill recently passed in California (possibly SB-327) that requires everyone to change from an 8 byte password to a 15 byte password. Have you heard anything about this or taken any action toward it? I have read several internet articles on SB-327 and they are complaining about weak passwords or default passwords that come from the vendor with the software or hardware and customers are not changing the defaults. I've seen nothing about the password length changing. This could be a major change for DDOL, DQRY, IDEA and related batch utilities.
A bill that was passed and took effect in California on 1 Jan 2020 called SB-327, indicated that IoT devices (like routers, switches, and printers) sold in California and that were directly connected to the Internet needed to have unique passwords, and not the usual ones like “admin”.
Broadcom developers are not aware of any laws requiring user/application passwords to be 15 characters, but the recommendation of security pundits for years has been to have passwords at least 15 characters long. We cannot speak for the makers of the different security products, but the reason that security pass phrases was developed is that changing the legacy password from eight characters would be a very difficult and wide-reaching change to the foundation of operating systems and many related functions. Therefore, the new feature of pass phrases was developed to operate alongside passwords.
As to the use of longer passwords in the Datacom realm, we have a Knowledge Base article that discusses our position on supporting pass phrases. Please review Knowledge Base article 128913, titled “Datacom support for security passphrases or long passwords” for more info about that.
As always, please contact Broadcom support for Datacom if you have further questions.