AAAI-04

For customers not using SSO, does the system have password complexity or length limitations and/or restrictions?

Explanation

This question is asking whether your system imposes any limitations or restrictions on password complexity or length for users who are not using Single Sign-On (SSO). Password complexity refers to requirements like including uppercase letters, lowercase letters, numbers, and special characters. Password length refers to the minimum and maximum number of characters allowed. The guidance specifically asks about limitations or restrictions that might prevent users from creating strong passwords. For example, if your system has a maximum password length of 16 characters or doesn't support certain special characters, that would be considered a limitation. This question is being asked in a security assessment because password strength is a critical security control. Systems that artificially limit password complexity or length (like not allowing special characters or having short maximum lengths) can prevent users from creating sufficiently strong passwords, making accounts more vulnerable to brute force or dictionary attacks. To best answer this question: 1. Be specific about any password limitations your system has 2. Explain your minimum requirements (which are good) but focus on any maximum limits (which are potential security concerns) 3. Mention any character restrictions 4. If you have no limitations that would prevent strong passwords, explain your approach Note that the guidance specifically asks you to answer 'yes' if your solution has internal limits - this means they're looking for potential security weaknesses in how your system handles passwords.

Guidance

Answer "yes" if your solution has internal limits to password complexity (max langth, certain special characters unsupported, etc.).

Example Responses

Example Response 1

Yes Our system has the following password limitations: passwords must be between 8-64 characters, must contain at least one uppercase letter, one lowercase letter, one number, and one special character We support most special characters except for < > & ' " due to security considerations around potential injection attacks We do not allow spaces in passwords These restrictions are in place to ensure a baseline of security while preventing certain security vulnerabilities.

Example Response 2

Yes Our application enforces a minimum password length of 12 characters and a maximum of 128 characters We require passwords to contain characters from at least 3 of these 4 categories: uppercase letters, lowercase letters, numbers, and special characters We support all ASCII special characters except for the backslash (\) due to escape sequence handling in our backend systems These requirements align with NIST SP 800-63B guidelines while addressing specific technical constraints of our platform.

Example Response 3

No While our system enforces minimum password requirements (at least 8 characters with complexity requirements), we do not impose maximum length restrictions or character limitations that would prevent users from creating strong passwords Our system supports passwords up to 256 characters and allows all printable ASCII characters including spaces and special characters This approach allows users to create strong, complex passwords or passphrases without artificial limitations We recognize that imposing maximum length restrictions or character limitations could potentially weaken password security.

Context

Tab: Product
Category: Authentication, Authorization, and Account Management