Weak minimum password length policy
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
A configured minimum password length of five characters or fewer lets users pick trivially guessable passwords.
Why it matters
A minimum password length of five characters or fewer lets users choose passwords that fall to brute force and guessing almost immediately. Length is the single strongest factor in password strength, and short minimums undercut every hashing choice you make downstream. Current guidance puts the floor at eight characters, and higher for anything sensitive.
How to fix it
Raise the minimum password length to at least 8 (12 is a better floor for admin or high-value accounts) and check it on the server, not only in the browser. Screen new passwords against a breached-password list (for example the Have I Been Pwned range API) instead of imposing complex composition rules, which push users toward predictable patterns.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo