Passphrases with at least 4 words
Summary
The system must require passphrases to be at least 4 words long and allow them to have 64 characters or more.
Description
Passwords are identity assertion elements that can be easily forgotten. Passphrases are sequences of words that are longer than passwords but are also easier to remember. Thus, systems should enforce the use of passphrases at least 4 words long and allow them to have 64 characters or more.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🟢 |
| Advanced | 🟢 |
References
- CAPEC™-49. Password brute forcing
- CAPEC™-560. Use of known domain credentials
- CWE™-521. Weak password requirements
- CWE™-522. Insufficiently protected credentials
- CWE™-640. Weak password recovery mechanism for forgotten password
- CWE™-1391. Use of Weak Credentials
- NERC CIP-007-6_R5_5. System access control
- NIST 800-63B-5_1_1_2. Memorized secret verifiers
- OWASP TOP 10-A7. Identification and authentication failures
- OWASP-M TOP 10-M4. Insecure authentication
- PA-DSS-3_1_6. Passwords must meet minimum requirements
- CMMC-IA_L2-3_5_7. Password complexity
- FedRAMP-IA-5_1. Authenticator management - Password-based authentication
- ISA/IEC 62443-CR-1_7. Strength of password-based authentication
- OSSTMM3-9_9_1. Wireless security (configuration verification) - Common errors
- ISSAF-D_1. Network security - Password security testing (gathering authentication credentials)
- PTES-5_5_3. Vulnerability analysis - Common/default passwords
- MVSP-2_4. Application design controls - Password policy
- OWASP SCP-3. Authentication and password management
- NIST 800-115-5_1. Password cracking
- SWIFT CSCF-4_1. Password policy
- OWASP ASVS-2_1_2. Password security
- PCI DSS-8_3_6. Passwords or passphrases with minimum level of complexity
- SIG Core-H_3_1_5. Access control
- OWASP ASVS-2_1_3. Password security
- OWASP ASVS-2_1_4. Password security
- OWASP ASVS-2_1_8. Password security
- OWASP ASVS-2_1_9. Password security
Vulnerabilities
- 035. Weak credential policy
- 050. Guessed weak credentials
- 277. Weak credential policy - Password Expiration
- 296. Weak credential policy - Password Change Limit
- 363. Weak credential policy - Password strength
- 364. Weak credential policy - Temporary passwords
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.