Set minimum OTP length
Summary
One-time passwords must be at least 6 characters long.
Description
One-time passwords (OTP) are secrets used during operations that need added security or as part of user enrollment processes. Despite their short lifespan, they should have a minimum length of 6 characters as a protection against brute force attacks.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- NIST 800-63B-5_1_1_2. Memorized secret verifiers
- CMMC-IA_L2-3_5_7. Password complexity
- FedRAMP-IA-5_1. Authenticator management - Password-based authentication
- ISA/IEC 62443-CR-1_7. Strength of password-based authentication
- WASSEC-6_2_1_1. Authentication - Brute force
- ISSAF-D_1. Network security - Password security testing (gathering authentication credentials)
- PTES-5_5_3. Vulnerability analysis - Common/default passwords
- NIST 800-115-5_1. Password cracking
- SWIFT CSCF-4_1. Password policy
- OWASP ASVS-2_2_6. General authenticator security
- PCI DSS-8_3_6. Passwords or passphrases with minimum level of complexity
- CWE™-522. Insufficiently protected credentials
- CWE™-640. Weak password recovery mechanism for forgotten password
- CWE™-1391. Use of Weak Credentials
Vulnerabilities
- 035. Weak credential policy
- 050. Guessed weak credentials
- 277. Weak credential policy - Password Expiration
- 294. Insecure service configuration - OTP
- 296. Weak credential policy - Password Change Limit
- 363. Weak credential policy - Password strength
- 364. Weak credential policy - Temporary passwords
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.