Password length (< 8) requirement is too short.

Description

Minimum password length should be enforced any time password creation occurs. This rule checks if configurations and validations made for passwords include a minimum length of 8.

Remediations

✅ OWASP recommends a password length of at least 8 characters, which is easy to enforce at the model level in Rails using validation constraint:

validates :password, presence: true, length: { minimum: 8, maximum: 255 }

Resources

Associated CWE

OWASP Top 10