PCI Requirement 8.2.3 – Passwords/Passphrases Must Require a Minimum of Seven Characters and Contain Both Numeric and Alphabetic Characters

by Randy Bartels / December 21st, 2017

Requirements for Password/Passphrase Complexity and Strength

Passwords/passphrases are your organization’s first line of defense, which is why PCI Requirement 8.2.3 states that your users’ passwords/passphrases must require a minimum of seven characters and contain both numeric and alphabetic characters. The combination of length and alphanumeric characters gives passwords/passphrases the complexity and strength to stand against attackers. The PCI DSS explains, “Malicious individuals will often first try to find accounts with weak or nonexistent passwords. If passwords are short or simple to guess, it is relatively easy for a malicious individual to find these weak accounts and compromise a network under the guise of a valid user ID.”

Although PCI Requirement 8.2.3 asks that passwords/passphrases must require a minimum of seven characters and contain both numeric and alphabetic characters, sometimes due to technical limitations, these minimum requirements cannot be met. In these cases, passwords/passphrases must have complexity and strength at least equivalent to the parameters specified by PCI Requirement 8.2.3.

The password settings and password requirements that you have within your environment need to be set to a minimal level of standards. Understand that the PCI DSS should not be considered the gold standard by any means, a lot of people might even consider it a copper standard. I’ve even talked to people that have said it’s more like a PVC standard around the level of security that we’re expecting.

The PCI DSS requires that passwords require at least seven characters and that there are alphanumeric requirements within the password. That’s what’s required; I would recommend to you, though, to teach your staff how to create a passphrase rather than just a password. There are things out there called rainbow tables; if a hacker gets ahold of the hashes, the passwords have been calculated out to 13 and 14 characters. I would recommend at least eight or nine characters for a minimum setting from a organizational security perspective. The PCI DSS requires that you only have a minimum of seven characters and that they contain alphanumeric characters. There are some caveats to this. If you ever read the guidance to PCI Requirement 8.2.3, it talks about password entropy and password equivalency. If you have an application or an environment that cannot meet the password requirements, there are things that you can do to meet this particular requirement by using password equivalency or password entropy.