Fluid Attacks Database

Passphrases with at least 4 words

Summary

The system must require passphrases to be at least 4 words long and allow them to have 64 characters or more.

Description

Passwords are identity assertion elements that can be easily forgotten. Passphrases are sequences of words that are longer than passwords but are also easier to remember. Thus, systems should enforce the use of passphrases at least 4 words long and allow them to have 64 characters or more.

References

CAPEC-49. Password brute forcing
CAPEC-560. Use of known domain credentials
CWE-521. Weak password requirements
CWE-522. Insufficiently protected credentials
CWE-640. Weak password recovery mechanism for forgotten password
CWE-1391. Use of Weak Credentials
NERCCIP-007-6_R5_5. System access control
NIST80063-5_1_1_2. Memorized secret verifiers
OWASP10-A7. Identification and authentication failures
OWASPM10-M4. Insecure authentication
PADSS-3_1_6. Passwords must meet minimum requirements
CMMC-IA_L2-3_5_7. Password complexity
FEDRAMP-IA-5_1. Authenticator management - Password-based authentication
IEC62443-CR-1_7. Strength of password-based authentication
OSSTMM3-9_9_1. Wireless security (configuration verification) - Common errors
ISSAF-D_1. Network security - Password security testing (gathering authentication credentials)
PTES-5_5_3. Vulnerability analysis - Common/default passwords
MVSP-2_4. Application design controls - Password policy
OWASPSCP-3. Authentication and password management
NIST800115-5_1. Password cracking
SWIFTCSC-4_1. Password policy
ASVS-2_1_2. Password security
PCI-8_3_6. Passwords or passphrases with minimum level of complexity
SIG-H_3_1_5. Access control
ASVS-2_1_3. Password security
ASVS-2_1_4. Password security
ASVS-2_1_8. Password security
ASVS-2_1_9. Password security

Weaknesses

035. Weak credential policy
050. Guessed weak credentials
277. Weak credential policy - Password Expiration
296. Weak credential policy - Password Change Limit
363. Weak credential policy - Password strength
364. Weak credential policy - Temporary passwords

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

Supported In

This requirement is verified in following services

Essential Plan

Yes

Advanced Plan

Yes