R139. Set minimum OTP length


One-time passwords must be at least 6 characters long.


One-time passwords (OTP) are secrets used during operations that need added security or as part of user enrollment processes. Despite their short lifespan, they should have a minimum length of 6 characters as a protection against brute force attacks.


  1. CWE-330: Use of Insufficiently Random Values. The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

  2. NIST 800-63B Memorized Secret Verifiers Memorized secrets that are randomly chosen by the CSP (e.g., at enrollment) or by the verifier (e.g., when a user requests a new PIN) SHALL be at least 6 characters in length and SHALL be generated using an approved random bit generator.

  3. OWASP-ASVS v4.0.1 V2.3 Authenticator Lifecycle Requirements.(2.3.1) Verify system generated initial passwords or activation codes SHOULD be securely randomly generated, SHOULD be at least 6 characters long.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy