Skip to main content

Passphrases with at least 4 words


The system must require passphrases to be at least 4 words long and allow them to have 64 characters or more.


Passwords are identity assertion elements that can be easily forgotten. Passphrases are sequences of words that are longer than passwords but are also easier to remember. Thus, systems should enforce the use of passphrases at least 4 words long and allow them to have 64 characters or more.


  • CAPEC-49: Password Brute Forcing: In this attack, the adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.

  • CAPEC-560: Use of Known Domain Credentials: An adversary guesses or obtains (i.e., steals or purchases) legitimate credentials (e.g., userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.

  • CWE-521: Weak Password Requirements: The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

  • NERC CIP-007-6. B. Requirements and measures. R5.5: For password-only authentication for interactive user access, either technically or procedurally enforce the following password parameters: Password length that is, at least, the lesser of eight characters or the maximum length supported by the Cyber Asset; and minimum password complexity that is the lesser of three or more different types of characters (e.g., uppercase alphabetic, lowercase alphabetic, numeric, non-alphanumeric) or the maximum complexity supported by the Cyber Asset.

  • NIST 800-63B Memorized Secret Verifiers: Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length.

  • OWASP-ASVS v4.0.1 V2.1 Password Security Requirements.(2.1.2): Verify that passwords 64 characters or longer are permitted.

  • PCI DSS v3.2.1 - Requirement 8.2.3: Passwords/passphrases must require a minimum length of at least seven characters or equivalent complexity and strength.