Regulations that specify password length?
I believe the National Institute of Standards and Technology (NIST) publishes the United States Government Configuration Baseline (USGCB, formerly known as Federal Desktop Core Configuration or FDCC) checklists, which specify the password complexity, lifetime, and history requirements for U.S. federal organizations. Also, the Center for Internet Security (CIS) publishes Benchmarks for various platforms, which include similar recommendations.
Between the two, the highest mark is:
- 12 characters minimum.
- At least three character types.
- Expiration in 60 days.
- Minimum lifetime of 1 day.
- No reuse within 24 passwords.
- Some OS-specific additional requirements may be applied.
Those settings are applied at the OS level. I'm not sure if either organization has similar specifications specifically targeting applications or websites, but most organizations which are subject to these will probably just use the same requirements as they do in the OS.
A Google search for any of the above terms should turn up a wealth of information. (I may add links here myself later, or anyone else is free to edit them in.)
To be honest the "official documentation" for all of these standards is incomplete, and as a CISSP in the industry it's really annoying.
How I look at it is that no one is going to approve you if you have known vulnerabilities in your software, period. The authority for this is the Community Emergency Response Teams (CERT), and CERTs issue CVE numbers for vulnerabilities. All CERTs use the Common Weakness Enumeration system to classify vulnerabilities in software.
There is CWE-521 - Weak Password Requirements which lists the following:
- Minimum and maximum length;
- Require mixed character sets (alpha, numeric, special, mixed case);
- Do not contain user name;
- Expiration;
- No password reuse.
It should be noted that the CWE system is a tree, and the parent of CWE-521 is CWE-255 credentials management.
Since you are looking for ANY regulatory body, whether applicable to you or not, Department of Defense Instruction 8500.2, Information Assurance Implementation states:
For systems utilizing a logon ID as the individual identifier, passwords are, at a minimum, a case sensitive, 8-character mix of upper case letters, lower case letters, numbers, and special characters, including at least one of each (e.g., emPagd2!). At least four characters must be changed when a new password is created.