One-time passwords must be at least 6 characters long.
One-time passwords (OTP) are secrets used during operations that need added security or as part of user enrollment processes. Despite their short lifespan, they should have a minimum length of 6 characters as a protection against brute force attacks.
CWE-330: Use of Insufficiently Random Values. The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
NIST 800-63B 18.104.22.168 Memorized Secret Verifiers Memorized secrets that are randomly chosen by the CSP (e.g., at enrollment) or by the verifier (e.g., when a user requests a new PIN) SHALL be at least 6 characters in length and SHALL be generated using an approved random bit generator.
OWASP Top 10 A2:2017-Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
OWASP-ASVS v4.0.1 V2.3 Authenticator Lifecycle Requirements.(2.3.1) Verify system generated initial passwords or activation codes SHOULD be securely randomly generated, SHOULD be at least 6 characters long.
PCI DSS v3.2.1 - Requirement 6.5.10 Address common coding vulnerabilities in software-development processes such as broken authentication and session management.