Passwords with at least 20 characters
Summary
System passwords must be at least 20 characters long.
Description
empty
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- CAPEC™-49. Password brute forcing
- CAPEC™-560. Use of known domain credentials
- CWE™-521. Weak password requirements
- CWE™-522. Insufficiently protected credentials
- CWE™-640. Weak password recovery mechanism for forgotten password
- CWE™-1391. Use of Weak Credentials
- NERC CIP-007-6_R5_5. System access control
- OWASP TOP 10-A7. Identification and authentication failures
- MITRE ATT&CK®-M1027. Password policies
- PA-DSS-3_1_6. Passwords must meet minimum requirements
- CMMC-IA_L2-3_5_7. Password complexity
- HITRUST CSF-01_d. User password management
- FedRAMP-IA-5_1. Authenticator management - Password-based authentication
- ISA/IEC 62443-IAC-1_7. Strength of password-based authentication
- ISA/IEC 62443-CR-1_7. Strength of password-based authentication
- OSSTMM3-9_9_1. Wireless security (configuration verification) - Common errors
- ISSAF-D_8. Network security - Password security testing (countermeasures)
- ISSAF-D_1. Network security - Password security testing (gathering authentication credentials)
- ISSAF-Y_3_1. Database Security - Database services countermeasures
- PTES-5_5_3. Vulnerability analysis - Common/default passwords
- PTES-7_4_5_1. Post Exploitation - Pillaging (system configuration password policy)
- MVSP-2_4. Application design controls - Password policy
- OWASP SCP-3. Authentication and password management
- OWASP MASVS-V4_5. Authentication and session management requirements - Password policy
- NIST 800-171-5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
- NIST 800-171-5_7. Enforce a minimum password complexity and change of characters when new passwords are created
- NIST 800-115-5_1. Password cracking
- SWIFT CSCF-4_1. Password policy
- OWASP ASVS-2_1_1. Password security
- C2M2-4_1_d. Establish identities and manage authentication
- PCI DSS-8_3_6. Passwords or passphrases with minimum level of complexity
- SIG Lite-SL_72. Is there a password policy for systems that transmit, process or store data that has been approved by management on all platforms?
- SIG Core-H_3_1_6. Access control
- SIG Core-U_1_9_11. Server security
- OWASP ASVS-2_1_3. Password security
- OWASP ASVS-2_1_4. Password security
- OWASP ASVS-2_1_8. Password security
- OWASP ASVS-2_1_9. Password security
- Resolution SB 2021 2126-Art_30_7. Security in Electronic Channels - Digital Banking
Vulnerabilities
- 035. Weak credential policy
- 050. Guessed weak credentials
- 277. Weak credential policy - Password Expiration
- 296. Weak credential policy - Password Change Limit
- 363. Weak credential policy - Password strength
- 364. Weak credential policy - Temporary passwords
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.