2.1.9 seems wrong

[oEscal]

Is 2.1.9 right? Shouldn't passwords be required to have mixed character sets (https://cwe.mitre.org/data/definitions/521.html)?

[elarlang]

Seems, that CWE is outdated on the topic.

A lot of authentication and session management requirements in ASVS are based on NIST research, including password requirements.

The table contains also NIST column and refers to 5.1.1.2.

#	Description	L1	L2	L3	CWE	NIST §
2.1.9	Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters. (C6)	✓	✓	✓	521	5.1.1.2

... and there is written:
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

For correction, maybe we need to get rid of the CWE value from the requirement. Title and short description are kind of valid, but section "Phase: Architecture and Design" is in conflict with NIST research.

[jmanico]

No, this requirement was removed in the recent NIST 800-63b standard. They added things like blocking common passwords and stopping credential, stuffing, and other controls that are more effective.