Supported Compliance Frameworks¶
--framework ID (repeatable or comma-separated) checks generated passwords against one or more
built-in policy presets. Each preset is a fixed set of length, entropy, and character-class
requirements defined in crates/paranoid-core/src/lib.rs (FrameworkId, ComplianceFramework,
FRAMEWORKS). Selecting a framework can change how passwords are generated: the effective length
is raised to the framework’s minimum length when it exceeds --length, and the framework’s
character-class requirements (mixed case, digits, symbols) are folded into the generation
requirements alongside a per-password and batch-level pass/fail check against that preset’s
requirements. For example, --length 8 --framework iso27001 generates a 12-character password
because ISO 27001’s minimum length is 12.
Frameworks¶
Id |
Aliases |
Display name |
Min length |
Min entropy (bits) |
Mixed case |
Digits |
Symbols |
|---|---|---|---|---|---|---|---|
|
— |
NIST SP 800-63B |
8 |
30.0 |
no |
no |
no |
|
|
PCI DSS 4.0 |
12 |
60.0 |
yes |
yes |
no |
|
— |
HIPAA |
8 |
50.0 |
yes |
yes |
yes |
|
|
SOC 2 |
8 |
50.0 |
yes |
yes |
no |
|
— |
GDPR / ENISA |
10 |
80.0 |
yes |
yes |
yes |
|
|
ISO 27001 |
12 |
90.0 |
yes |
yes |
yes |
The Id column is the canonical string accepted by --framework and returned by
FrameworkId::as_str(). The Aliases column lists additional strings FrameworkId::parse()
accepts for the same id; the CLI’s --help text advertises only the canonical ids.
Each row’s requirements come directly from that framework’s entry in FRAMEWORKS:
Min length — minimum accepted password length.
Min entropy (bits) — minimum accepted Shannon entropy for the password.
Mixed case — whether both uppercase and lowercase characters are required.
Digits — whether at least one digit is required.
Symbols — whether at least one symbol character is required.
Usage¶
paranoid-passwd --cli --length 20 --count 3 --framework nist,pci_dss
paranoid-passwd vault generate-store --title GitHub --username jon@example.com --length 24 --framework nist
Passing multiple frameworks requires the generated password to satisfy every selected framework’s
requirements, not just one. --json output reports per-framework and combined
selected_frameworks_pass results alongside the rest of the audit. --audit-jsonl output is
limited to operational audit events and does not include framework compliance results.
None of these presets are an authorization, certification, or compliance claim for the named standard — they are password-strength policy presets modeled on each standard’s published password guidance. See Federal Control Mapping for the separate NIST SP 800-53 control-family evidence map used for FedRAMP/GovCloud/DoD IL5 evaluation.