One-time passwords must be at least 6 characters long.
One-time passwords (OTP) are secrets used during operations that need added security or as part of user enrollment processes. Despite their short lifespan, they should have a minimum length of 6 characters as a protection against brute force attacks.
This requirement is verified in following services:
- NIST 800-63B-5_1_1_2. Memorized secret verifiers
- CMMC-IA_L2-3_5_7. Password complexity
- FedRAMP-IA-5_1. Authenticator management - Password-based authentication
- ISA/IEC 62443-CR-1_7. Strength of password-based authentication
- WASSEC-6_2_1_1. Authentication - Brute force
- ISSAF-D_1. Network security - Password security testing (gathering authentication credentials)
- PTES-5_5_3. Vulnerability analysis - Common/default passwords
- NIST 800-115-5_1. Password cracking
- SWIFT CSCF-4_1. Password policy
- OWASP ASVS-2_2_6. General authenticator security
- PCI DSS-8_3_6. Passwords or passphrases with minimum level of complexity
- CWE-522. Insufficiently protected credentials
- CWE-640. Weak password recovery mechanism for forgotten password