R133. Passwords with at least 20 characters


System passwords must be at least 20 characters long.


  1. CWE-521: Weak Password Requirements The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

  2. NERC CIP-007-6. B. Requirements and measures. R5.5 For password-only authentication for interactive user access, either technically or procedurally enforce the following password parameters: Password length that is, at least, the lesser of eight characters or the maximum length supported by the Cyber Asset; and minimum password complexity that is the lesser of three or more different types of characters (e.g., uppercase alphabetic, lowercase alphabetic, numeric, non-alphanumeric) or the maximum complexity supported by the Cyber Asset.

  3. OWASP-ASVS v4.0.1 V2.1 Password Security Requirements.(2.1.1) Verify that user set passwords are at least 12 characters in length.

  4. PCI DSS v3.2.1 - Requirement 8.2.3 Passwords/passphrases must require a minimum length of at least seven characters or equivalent complexity and strength.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy