REQ.132 Passphrases with minimum 4 words
Passphrases must be at least 4 words long.
The following security requirement addresses the importance of establishing passphrases with at least four (4) words of length. Understanding the latter, as a sequence of words  whose length is higher but more secure than other types of passwords.
OWASP-ASVS v3.1-2.7 Verify password entry fields allow, or encourage, the use of passphrases, and do not prevent long passphrases or highly complex passwords being entered.
OWASP-ASVS v3.1-2.27 Verify that measures are in place to block the use of commonly chosen passwords and weak pass-phrases.