5.1.1.1 Memorized Secret Authenticators. "Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and MAY be entirely numeric. [...] No other complexity requirements for memorized secrets SHOULD be imposed."