132 – Passphrases with at least 4 words
Summary
The system must require passphrases to be at least 4 words long and allow them to have 64 characters or more.
Description
Passwords are identity assertion elements that can be easily forgotten. Passphrases are sequences of words that are longer than passwords but are also easier to remember. Thus, systems should enforce the use of passphrases at least 4 words long and allow them to have 64 characters or more.
Supported In
Essential: True
Advanced: True
References
- CAPEC-49. Password brute forcing
- CAPEC-560. Use of known domain credentials
- CWE-521. Weak password requirements
- CWE-522. Insufficiently protected credentials
- CWE-640. Weak password recovery mechanism for forgotten password
- CWE-1391. Use of Weak Credentials
- NERCCIP-007-6_R5_5. System access control
- NIST80063-5_1_1_2. Memorized secret verifiers
- OWASP10-A7. Identification and authentication failures
- OWASPM10-M4. Insecure authentication
- PADSS-3_1_6. Passwords must meet minimum requirements
- CMMC-IA_L2-3_5_7. Password complexity
- FEDRAMP-IA-5_1. Authenticator management - Password-based authentication
- IEC62443-CR-1_7. Strength of password-based authentication
- OSSTMM3-9_9_1. Wireless security (configuration verification) - Common errors
- ISSAF-D_1. Network security - Password security testing (gathering authentication credentials)
- PTES-5_5_3. Vulnerability analysis - Common/default passwords
- MVSP-2_4. Application design controls - Password policy
- OWASPSCP-3. Authentication and password management
- NIST800115-5_1. Password cracking
- SWIFTCSC-4_1. Password policy
- ASVS-2_1_2. Password security
- PCI-8_3_6. Passwords or passphrases with minimum level of complexity
- SIG-H_3_1_5. Access control
- ASVS-2_1_3. Password security
- ASVS-2_1_4. Password security
- ASVS-2_1_8. Password security
- ASVS-2_1_9. Password security
Weaknesses
Last updated
2023/09/18