Title

LG Android 6.x must enforce a minimum password length of 6 characters. (Cat III impact)

Discussion

Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise. SFR ID: FMT_SMF_EXT.1.1 #01a

Check Content

This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM Console, do the following: 1. Ask the MDM administrator to display the "Password length" setting in the MDM console. 2. In the password policy, verify the setting for the password length equals or is greater than six characters. On the LG Android device: 1. Unlock the device. 2. Navigate to the password entry screen: Settings >> General >> Security (or Fingerprints & security) >> Lock screen >> Select screen lock >> Password >> Set password. 3. Attempt to enter a password with a length less than the required value. If the configured value of the "Password length" setting is less than six characters or if the LG Android device accepts a password of less than six characters, this is a finding.

Fix Text

Configure the mobile operating system to enforce a minimum password length of six characters or more. On the MDM Administration Console, set the "Password length" value to six or greater.

Additional Identifiers

Rule ID: SV-81297r2_rule

Vulnerability ID: V-66807

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.