Insufficient Password Strength

Insufficient Password Strength exists when a password policy does not aid the user in selecting a password that is strong enough to protect against guessing and brute force attacks. 

Text-based passwords remain the dominant authentication method in computer systems, despite significant advancement in attackers’ capabilities to perform password cracking. Password policies are a set of rules designed to enhance computer security by encouraging users to employ the strongest possible passwords and to use them properly. Password strength is a measure of the effectiveness of a password. In its usual form, it estimates how many attempts an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.