Passwords with at least 20 characters
Summary
System passwords must be at least 20 characters long.
Description
Long passwords allow a high variety of characters and combinations to use, strengthening its complexity. The larger the number of characters and the longer the password, the harder it becomes for attackers to crack the password through credentials attacks, such as brute forcing, for example.
References
- CAPEC-49. Password brute forcing
- CAPEC-560. Use of known domain credentials
- CWE-521. Weak password requirements
- CWE-522. Insufficiently protected credentials
- CWE-640. Weak password recovery mechanism for forgotten password
- CWE-1391. Use of Weak Credentials
- NERCCIP-007-6_R5_5. System access control
- OWASP10-A7. Identification and authentication failures
- MITRE-M1027. Password policies
- PADSS-3_1_6. Passwords must meet minimum requirements
- CMMC-IA_L2-3_5_7. Password complexity
- HITRUST-01_d. User password management
- FEDRAMP-IA-5_1. Authenticator management - Password-based authentication
- IEC62443-IAC-1_7. Strength of password-based authentication
- IEC62443-CR-1_7. Strength of password-based authentication
- OSSTMM3-9_9_1. Wireless security (configuration verification) - Common errors
- ISSAF-D_8. Network security - Password security testing (countermeasures)
- ISSAF-D_1. Network security - Password security testing (gathering authentication credentials)
- ISSAF-Y_3_1. Database Security - Database services countermeasures
- PTES-5_5_3. Vulnerability analysis - Common/default passwords
- PTES-7_4_5_1. Post Exploitation - Pillaging (system configuration password policy)
- MVSP-2_4. Application design controls - Password policy
- OWASPSCP-3. Authentication and password management
- NIST800171-5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
- NIST800171-5_7. Enforce a minimum password complexity and change of characters when new passwords are created
- NIST800115-5_1. Password cracking
- SWIFTCSC-4_1. Password policy
- ASVS-2_1_1. Password security
- C2M2-4_1_d. Establish identities and manage authentication
- PCI-8_3_6. Passwords or passphrases with minimum level of complexity
- SIGLITE-SL_72. Is there a password policy for systems that transmit, process or store data that has been approved by management on all platforms?
- SIG-H_3_1_6. Access control
- SIG-U_1_9_11. Server security
- ASVS-2_1_3. Password security
- ASVS-2_1_4. Password security
- ASVS-2_1_8. Password security
- ASVS-2_1_9. Password security
- RESOLSB-Art_30_7. Security in Electronic Channels - Digital Banking
Weaknesses
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan