R132. Passphrases with at least 4 words
The system must require passphrases to be at least 4 words long and allow them to have 64 characters or more .
Passwords are identity assertion elements that can be easily forgotten. Passphrases are sequences of words that are longer than passwords but are also easier to remember. Thus, systems should enforce the usage of passphrases at least 4 words long and allow them to have 64 characters or more.
CWE-521: Weak Password Requirements The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
NIST 800-63B 184.108.40.206 Memorized Secret Verifiers Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length.
OWASP-ASVS v4.0.1 V2.1 Password Security Requirements.(2.1.2) Verify that passwords 64 characters or longer are permitted.