Weak Password Policy - Minimum Length

Enforcing a minimum password length is a common safeguard against weak passwords, as longer passwords are generally more secure. However, setting the minimum length too low allows users to create short, easily compromised passwords, increasing the risk of unauthorized access to accounts and sensitive data.

Tenable Identity Exposure evaluates all password policies because this setting is mandatory, unlike other password policy settings that may be left undefined.

Tenable Identity Exposure analyzes disabled password policies only when the corresponding IOE parameter is also disabled.

You must set the minimum password length to a higher value in the reported password policy.

Okta recommends a typical minimum password length of 12 characters, which is also the default setting in this Indicator of Exposure. Tenable advises selecting a value that aligns with your organization's risk tolerance, as well as the relevant industry standards and regulatory requirements for your sector and location. Be mindful of the impact on end-user experience, as users will have to remember longer passwords.

Next, configure the optimal value in the IOE parameter.

Refer to Okta’s official documentation for guidance on how to configure correctly the reported password policy.

Name: Weak Password Policy - Minimum Length

Codename: WEAK-PASSWORD-POLICY-MINIMUM-LENGTH-OKTA

Severity: High

Type: Okta Indicator of Exposure