Password complexity question

[StoopidGit]

Hi All,

In ASVS, 2.1.1. states:

• "Verify that user set passwords are at least 12 characters in length (after multiple spaces are combined).

However, in the OWASP Cheat Sheet on AuthN it states:

• Minimum length of the passwords should be enforced by the application. Passwords shorter than 8 characters are considered to be weak (NIST SP800-63B).

Can someone help to clarify the difference as well as which guidance is best?

[elarlang]

Please always watch latest requirement, and that is at the moment:

V2.1.1 Verify that user set passwords are at least 8 characters in length although a minimum of 15 characters is strongly recommended.

[StoopidGit]

thank you, which version of ASVS is this? I currently see the latest is 4.0.3

[elarlang]

It's a v5.0 "bleeding edge", that is not yet released but hopefully takes place in some months

https://github.com/OWASP/ASVS/blob/master/5.0/en/0x11-V2-Authentication.md

[StoopidGit]

Ah, that's why I didn't see. Thank you again!

[StoopidGit]

do you know about when v5.0 would release?

[elarlang]

"Hopefully in some months" is the most precise promise I can give