[Owasp-cheat-sheets] Authentication Cheat Sheet - Password length

Jim Manico jim.manico at owasp.org
Thu Aug 30 15:32:49 UTC 2012

Good catch and well said. Do you have a sec to fix this on the wiki?


Jim Manico
(808) 652-3805

On Aug 30, 2012, at 1:09 AM, "Paweł Krawczyk" <pawel.krawczyk at hush.com>

I was just reading

Password Length

Longer passwords provide a greater combination of characters and
consequently make it more difficult for an attacker to guess.

*Important applications*: Minimum of 6 characters in length.

*Critical applications*: Minimum of 8 characters in length. (consider
multi-factor authentication)

*Highly critical applications*: Consider multi-factor authentication

Isn't that somewhat outdated? I wouldn't recommend minimum 6 character
passwords to any applications. Looking at available evidence I would
recommend the minimum to be nine characters for new applications and eight
for existing.


Paweł Krawczyk, CISSP
http://ipsec.pl http://echelon.pl
+48 602 776959

Owasp-cheat-sheets mailing list
Owasp-cheat-sheets at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cheat-sheets/attachments/20120830/8236ae75/attachment.html>

More information about the Owasp-cheat-sheets mailing list