Passwords with at least 20 characters
Summary
System passwords must be at least 20 characters long.
Description
Long passwords allow a high variety of characters and combinations to use, strengthening its complexity. The larger the number of characters and the longer the password, the harder it becomes for attackers to crack the password through credentials attacks, such as brute forcing, for example.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🟢 |
| Advanced | 🟢 |
References
- CAPEC™-49. Password brute forcing
- CAPEC™-560. Use of known domain credentials
- CWE™-521. Weak password requirements
- CWE™-522. Insufficiently protected credentials
- CWE™-640. Weak password recovery mechanism for forgotten password
- CWE™-1391. Use of Weak Credentials
- NERC CIP-007-6_R5_5. System access control
- OWASP TOP 10-A7. Identification and authentication failures
- MITRE ATT&CK®-M1027. Password policies
- PA-DSS-3_1_6. Passwords must meet minimum requirements
- CMMC-IA_L2-3_5_7. Password complexity
- HITRUST CSF-01_d. User password management
- FedRAMP-IA-5_1. Authenticator management - Password-based authentication
- ISA/IEC 62443-IAC-1_7. Strength of password-based authentication
- ISA/IEC 62443-CR-1_7. Strength of password-based authentication
- OSSTMM3-9_9_1. Wireless security (configuration verification) - Common errors
- ISSAF-D_8. Network security - Password security testing (countermeasures)
- ISSAF-D_1. Network security - Password security testing (gathering authentication credentials)
- ISSAF-Y_3_1. Database Security - Database services countermeasures
- PTES-5_5_3. Vulnerability analysis - Common/default passwords
- PTES-7_4_5_1. Post Exploitation - Pillaging (system configuration password policy)
- MVSP-2_4. Application design controls - Password policy
- OWASP SCP-3. Authentication and password management
- NIST 800-171-5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
- NIST 800-171-5_7. Enforce a minimum password complexity and change of characters when new passwords are created
- NIST 800-115-5_1. Password cracking
- SWIFT CSCF-4_1. Password policy
- OWASP ASVS-2_1_1. Password security
- C2M2-4_1_d. Establish identities and manage authentication
- PCI DSS-8_3_6. Passwords or passphrases with minimum level of complexity
- SIG Lite-SL_72. Is there a password policy for systems that transmit, process or store data that has been approved by management on all platforms?
- SIG Core-H_3_1_6. Access control
- SIG Core-U_1_9_11. Server security
- OWASP ASVS-2_1_3. Password security
- OWASP ASVS-2_1_4. Password security
- OWASP ASVS-2_1_8. Password security
- OWASP ASVS-2_1_9. Password security
- Resolution SB 2021 2126-Art_30_7. Security in Electronic Channels - Digital Banking
Vulnerabilities
- 035. Weak credential policy
- 050. Guessed weak credentials
- 277. Weak credential policy - Password Expiration
- 296. Weak credential policy - Password Change Limit
- 363. Weak credential policy - Password strength
- 364. Weak credential policy - Temporary passwords
free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.