System passwords must be at least 20 characters long.
CWE-521: Weak Password Requirements The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
NERC CIP-007-6. B. Requirements and measures. R5.5 For password-only authentication for interactive user access, either technically or procedurally enforce the following password parameters: Password length that is, at least, the lesser of eight characters or the maximum length supported by the Cyber Asset; and minimum password complexity that is the lesser of three or more different types of characters (e.g., uppercase alphabetic, lowercase alphabetic, numeric, non-alphanumeric) or the maximum complexity supported by the Cyber Asset.
OWASP-ASVS v4.0.1 V2.1 Password Security Requirements.(2.1.1) Verify that user set passwords are at least 12 characters in length.
PCI DSS v3.2.1 - Requirement 8.2.3 Passwords/passphrases must require a minimum length of at least seven characters or equivalent complexity and strength.