Fluid Attacks logo
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us

R132. Passphrases with at least 4 words

This document contains the details of the security requirements related to the definition and management of access credentials in the organization. This requirement establishes the importance of defining passphrases with at least 4 words and allowing them to be more than 64 characters long.


The system must require passphrases to be at least 4 words long and allow them to have 64 characters or more .


Passwords are identity assertion elements that can be easily forgotten. Passphrases are sequences of words that are longer than passwords but are also easier to remember. Thus, systems should enforce the usage of passphrases at least 4 words long and allow them to have 64 characters or more.


  1. CWE-521: Weak Password Requirements The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

  2. NIST 800-63B Memorized Secret Verifiers Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length.

  3. OWASP-ASVS v4.0.1 V2.1 Password Security Requirements.(2.1.2) Verify that passwords 64 characters or longer are permitted.

Service status - Terms of Use