Title

Passwords do not meet complexity requirements. (Cat III impact)

Discussion

Requirement: The IAO will ensure that passwords are required and contain at a minimum, a case sensitive, eight-character mix of upper-case letters, lower-case letters, numbers, and special characters, including at least one of each (e.g., emPagd2! Devices not protected with strong password schemes provide the opportunity for anyone to crack the password thus gaining access to the device and causing system or information damage, or denial of service. By requiring passwords to be eight non-repeating characters in length, contain numbers, upper and lower case characters, and a special character, the probability of password guessing is mitigated.

Check Content

Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix Text

Enforce a password policy to ensure complex passwords. Configure the system to require passwords to be eight non-repeating characters in length, contain numbers, upper and lower case characters, and a special character, if technically feasible.

Additional Identifiers

Rule ID: SV-8447r1_rule

Vulnerability ID: V-7961

Group Title: Passwords do not meet complexity requirements.

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.