{
    "id": "S060",
    "name": "Enforce minimum password length of 8 characters, recommend 15+",
    "description": "Enforce minimum password length of 8 characters as absolute minimum. Recommend 15+ characters for better security. Support passwords up to 64-128 characters. Combine with breach password checking.",
    "category": "security",
    "severity": "medium",
    "enabled": true,
    "engines": ["heuristic"],
    "enginePreference": ["heuristic"],
    "tags": ["security", "password", "authentication", "policy"],
    "examples": {
        "valid": [
            "if (password.length < 8) throw new Error('Password too short');",
            "const MIN_PASSWORD_LENGTH = 12;",
            "validator.isLength(password, { min: 8, max: 128 });"
        ],
        "invalid": [
            "if (password.length < 4) // Too short minimum",
            "if (password.length < 6) // Below NIST recommendation",
            "// No password length validation"
        ]
    },
    "fixable": false,
    "docs": {
        "description": "This rule enforces NIST SP 800-63B password guidelines. Minimum 8 characters absolute minimum (12+ recommended). Support maximum length of 64+ characters. Allow all printable characters including spaces. Check against breach databases (Have I Been Pwned). Do not require arbitrary complexity rules (uppercase, numbers, symbols).",
        "url": "https://pages.nist.gov/800-63-3/sp800-63b.html"
    }
}