Minimum length 12+ characters
Demonstrate that all authentication systems enforce a minimum password length of at least 12 characters and that no user accounts exist with shorter passwords.
Description
What this control does
This control enforces a minimum password length of 12 or more characters for all user accounts across systems and applications. Longer passwords exponentially increase the computational effort required for brute-force and dictionary attacks, making credential compromise significantly more difficult. The 12-character threshold represents the current industry consensus for balancing security effectiveness with usability, providing adequate entropy against modern password-cracking techniques including GPU-accelerated attacks.
Control objective
What auditing this proves
Demonstrate that all authentication systems enforce a minimum password length of at least 12 characters and that no user accounts exist with shorter passwords.
Associated risks
Risks this control addresses
- Brute-force attacks succeed more rapidly against short passwords, enabling unauthorized access to user accounts and sensitive systems
- Dictionary attacks leverage common word combinations that are only viable when password length restrictions are insufficient
- Credential stuffing attacks achieve higher success rates when users can create weak, short passwords that they reuse across services
- Rainbow table attacks remain computationally feasible for passwords under 12 characters, particularly when combined with weak hashing algorithms
- Automated credential spraying campaigns can cycle through common short passwords across many accounts without triggering lockout mechanisms
- Insider threats exploit accounts with short, easily guessable passwords to gain unauthorized access beyond their assigned privileges
- Compliance violations occur when password length fails to meet regulatory or contractual requirements for data protection
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's password policy documentation to identify the documented minimum password length requirement
- Export password policy configuration settings from Active Directory, LDAP, IAM systems, and all in-scope authentication platforms
- Verify minimum password length settings in each system's configuration files, group policies, or administrative consoles
- Query user account databases or authentication systems to identify any accounts created before the current policy was enforced that may have non-compliant password lengths
- Attempt to create test accounts with passwords of 11, 10, and 8 characters in each authentication system to validate enforcement
- Review application-level authentication configurations for custom applications to confirm they enforce the same minimum length requirement
- Examine privileged, service, and administrative accounts separately to confirm no exceptions bypass the 12-character minimum
- Analyze password change logs or audit records from the past 90 days to verify the policy consistently rejected attempts to set passwords shorter than 12 characters
Where this control is tested