System passwords must be at least 20 characters long.
CAPEC-49: Password Brute Forcing. In this attack, the adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560: Use of Known Domain Credentials. An adversary guesses or obtains (i.e., steals or purchases) legitimate credentials (e.g., userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CWE-521: Weak Password Requirements The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
NERC CIP-007-6. B. Requirements and measures. R5.5 For password-only authentication for interactive user access, either technically or procedurally enforce the following password parameters: Password length that is, at least, the lesser of eight characters or the maximum length supported by the Cyber Asset; and minimum password complexity that is the lesser of three or more different types of characters (e.g., uppercase alphabetic, lowercase alphabetic, numeric, non-alphanumeric) or the maximum complexity supported by the Cyber Asset.
OWASP-ASVS v4.0.1 V2.1 Password Security Requirements.(2.1.1) Verify that user set passwords are at least 12 characters in length.
PCI DSS v3.2.1 - Requirement 8.2.3 Passwords/passphrases must require a minimum length of at least seven characters or equivalent complexity and strength.