Check: SRG-OS-000078-GPOS-00046
General Purpose Operating System SRG:
SRG-OS-000078-GPOS-00046
(in versions v3 r1 through v1 r6)
Title
The operating system must enforce a minimum 15-character password length. (Cat II impact)
Discussion
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Check Content
Verify the operating system enforces a minimum 15-character password length. If it does not, this is a finding.
Fix Text
Configure the operating system to enforce a minimum 15-character password length.
Additional Identifiers
Rule ID: SV-203634r982202_rule
Vulnerability ID: V-203634
Group Title: SRG-OS-000078
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000205 |
The information system enforces minimum password length. |
CCI-004066 |
For password-based authentication, enforce organization-defined composition and complexity rules. |
Controls
Number | Title |
---|---|
IA-5(1) |
Password-based Authentication |