PCI 8.2.3 Require a minimum password length of at least seven characters

Information

This requirement specifies that a minimum of seven characters and both numeric and alphabetic characters should be used for passwords/phrases. For cases where this minimum cannot be met due to technical limitations, entities can use 'equivalent strength' to evaluate their alternative. NIST SP 800-63-1 defines 'entropy' as 'a measure of the difficulty of guessing or determining a password or key.' This document and others that discuss 'password entropy' can be referred to for more information on applicable entropy value and for understanding equivalent password strength variability for passwords/phrases of different formats.

See Also

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(a), CSCv6|5.7, CSCv6|16.2, CSCv6|16.5

Plugin: Windows

Control ID: 67f0c781c76d7a2dac99d05d99c28b8e8c6f990d657d47321033d1a0fe15f08c