Check: KNOX-09-000370
Samsung OS 9 with Knox 3.x COBO Use Case KPE(AE) Deployment STIG:
KNOX-09-000370
(in versions v1 r4 through v1 r1)
Title
Samsung Android must be configured to enforce a minimum password length of six characters. (Cat III impact)
Discussion
Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise. SFR ID: FMT_SMF_EXT.1.1 #1a
Check Content
Review device configuration settings to confirm that the minimum password length is six or more characters. This procedure is performed on both the MDM administration console and the Samsung Android device. On the MDM console, for the device, in the "Android password constraints" group, verify that the "minimum password length" is "6" or greater. On the Samsung Android device, do the following: 1. Open Settings. 2. Tap "Lock screen". 3. Tap "Screen lock type". 4. Enter current password. 5. Tap "Password". 6. Verify that passwords entered with fewer than six characters are not accepted. If on the MDM console "minimum password length" is less than "6", or on the Samsung Android device a password of less than "6" characters is accepted, this is a finding.
Fix Text
Configure Samsung Android to enforce a minimum password length of six characters. On the MDM console, in the Android password constraints, set the "minimum password length" to "6" or greater.
Additional Identifiers
Rule ID: SV-217669r378766_rule
Vulnerability ID: V-217669
Group Title: PP-MDF-301010
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000205 |
The information system enforces minimum password length. |
Controls
Number | Title |
---|---|
IA-5 (1) |
Password-Based Authentication |