133 – Passwords with at least 20 characters

Summary

System passwords must be at least 20 characters long.

Description

Long passwords allow a high variety of characters and combinations to use, strengthening its complexity. The larger the number of characters and the longer the password, the harder it becomes for attackers to crack the password through credentials attacks, such as brute forcing, for example.

Supported In

Essential: True

Advanced: True

References

• CAPEC-49. Password brute forcing
• CAPEC-560. Use of known domain credentials
• CWE-521. Weak password requirements
• CWE-522. Insufficiently protected credentials
• CWE-640. Weak password recovery mechanism for forgotten password
• CWE-1391. Use of Weak Credentials
• NERCCIP-007-6_R5_5. System access control
• OWASP10-A7. Identification and authentication failures
• MITRE-M1027. Password policies
• PADSS-3_1_6. Passwords must meet minimum requirements
• CMMC-IA_L2-3_5_7. Password complexity
• HITRUST-01_d. User password management
• FEDRAMP-IA-5_1. Authenticator management - Password-based authentication
• IEC62443-IAC-1_7. Strength of password-based authentication
• IEC62443-CR-1_7. Strength of password-based authentication
• OSSTMM3-9_9_1. Wireless security (configuration verification) - Common errors
• ISSAF-D_8. Network security - Password security testing (countermeasures)
• ISSAF-D_1. Network security - Password security testing (gathering authentication credentials)
• ISSAF-Y_3_1. Database Security - Database services countermeasures
• PTES-5_5_3. Vulnerability analysis - Common/default passwords
• PTES-7_4_5_1. Post Exploitation - Pillaging (system configuration password policy)
• MVSP-2_4. Application design controls - Password policy
• OWASPSCP-3. Authentication and password management
• NIST800171-5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
• NIST800171-5_7. Enforce a minimum password complexity and change of characters when new passwords are created
• NIST800115-5_1. Password cracking
• SWIFTCSC-4_1. Password policy
• ASVS-2_1_1. Password security
• C2M2-4_1_d. Establish identities and manage authentication
• PCI-8_3_6. Passwords or passphrases with minimum level of complexity
• SIGLITE-SL_72. Is there a password policy for systems that transmit, process or store data that has been approved by management on all platforms?
• SIG-H_3_1_6. Access control
• SIG-U_1_9_11. Server security
• ASVS-2_1_3. Password security
• ASVS-2_1_4. Password security
• ASVS-2_1_8. Password security
• ASVS-2_1_9. Password security
• RESOLSB-Art_30_7. Security in Electronic Channels - Digital Banking

Weaknesses

• 277 – Weak credential policy - Password Expiration
• 296 – Weak credential policy - Password Change Limit
• 363 – Weak credential policy - Password strength
• 364 – Weak credential policy - Temporary passwords
• 035 – Weak credential policy
• 050 – Guessed weak credentials

Last updated

2024/01/18