139 – Set minimum OTP length

Summary

One-time passwords must be at least 6 characters long.

Description

One-time passwords (OTP) are secrets used during operations that need added security or as part of user enrollment processes. Despite their short lifespan, they should have a minimum length of 6 characters as a protection against brute force attacks.

Supported In

Essential: True

Advanced: True

References

• NIST80063-5_1_1_2. Memorized secret verifiers
• CMMC-IA_L2-3_5_7. Password complexity
• FEDRAMP-IA-5_1. Authenticator management - Password-based authentication
• IEC62443-CR-1_7. Strength of password-based authentication
• WASSEC-6_2_1_1. Authentication - Brute force
• ISSAF-D_1. Network security - Password security testing (gathering authentication credentials)
• PTES-5_5_3. Vulnerability analysis - Common/default passwords
• NIST800115-5_1. Password cracking
• SWIFTCSC-4_1. Password policy
• ASVS-2_2_6. General authenticator security
• PCI-8_3_6. Passwords or passphrases with minimum level of complexity
• CWE-522. Insufficiently protected credentials
• CWE-640. Weak password recovery mechanism for forgotten password
• CWE-1391. Use of Weak Credentials

Weaknesses

• 277 – Weak credential policy - Password Expiration
• 294 – Insecure service configuration - OTP
• 296 – Weak credential policy - Password Change Limit
• 363 – Weak credential policy - Password strength
• 364 – Weak credential policy - Temporary passwords
• 035 – Weak credential policy
• 050 – Guessed weak credentials

Last updated

2023/09/18