Require Minimum and Maximum Password Length [Updated in Security center 2.2]

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 2 minutes de lecture

    • Set minimum and maximum password lengths to avoid compliance issues and reduce the risk of a successful brute force attack

    Password policies define the requirements for passwords your users create on your instance. The password length must fall within the range accepted by the NIST 800-63B document.

    Ensure that a password policy is being enforced for each password credential store in use on your instance. Ensure that the password policy mandates a minimum password length of at least 15 characters and maximum password length of at least 64 characters.

    For each password credential store record in the Password Reset Credential Stores [pwd_cred_store] table:
    1. Ensure that a password policy is being enforced for each password credential store in use on your instance:

      1. For each password credential store record in the Password Reset Credential Stores [pwd_cred_store] table, ensure that Enable password policy field is activated.

    2. Ensure that the password policy mandates a minimum password length of at least 15 characters and maximum password length of at least 64 characters.

      1. Navigate to the Password Policy [password_policy] record referenced in the record's Password policy field. Ensure that the Minimum Password Length field is set to at least 15 and Maximum Password Length field is set to at least 64.

    3. Further instructions on configuring a password policy can be in the documentation: Enable password policies on your instance

    Further instructions on configuring a password policy, see Enable password policies on your instance.

    More information

    Attribute Description
    Configuration name Records on the Password Reset Credential Store [pwd_cred_store] and Password Policy [password_policy] tables.
    Configuration type Records on the Password Reset Credential Store [pwd_cred_store] and Password Policy [password_policy] tables.
    Data type Boolean and Integer
    Recommended value
    • The Enable password policy field on each Password Reset Credential Stores [pwd_cred_store] record must be activated(true).
    • The Minimum Password Length on the associated Password Policy [password_policy] record must be at least 15.
    • The Maximum Password Length on the associated Password Policy [password_policy] record must be equal or less than 64.
    Default value
    • The Minimum Password Length on Password Policy [password_policy] records is 8 by default.
    • The Maximum Password Length on Password Policy [password_policy] records is 100 by default.
    Fallback value
    • The fallback value of Minimum Password Length on Password Policy [password_policy] records is 8.
    • The fallback value of Maximum Password Length on Password Policy [password_policy] record is 100.
    Category Authentication
    Security risk
    • Severity score: 5.9
    • CVSS score: Medium
    • Security risk details: Allowing passwords that are too short or not long enough could lead to compliance issues and increases the risk of an attacker successfully brute forcing passwords.
    Functional impact Instances do not suffer any impact from a minimum password length of 15 or maximum password length of 64.
    Dependencies and prerequisites None