Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-67603 | AOSX-11-000585 | SV-82093r1_rule | Medium |
Description |
---|
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. |
STIG | Date |
---|---|
Apple OS X 10.11 Security Technical Implementation Guide | 2017-04-06 |
Check Text ( C-68169r1_chk ) |
---|
Password policy can be set with a configuration profile or the "pwpolicy" utility. If password policy is set with a configuration profile, run the following command to check if the system is configured to require that passwords contain at least one numeric character: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep requireAlphanumeric If "requireAlphanumeric" is not set to "1" or is undefined, this is a finding. If password policy is set with the "pwpolicy utility", run the following command instead: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies Look for the line " If it does not exist, and password policy is not controlled by a directory server, this is a finding. Otherwise, in the array section that follows it, there should be a If this check allows users to create passwords without at least one numeric character, or if no such check exists, this is a finding. |
Fix Text (F-73717r1_fix) |
---|
This setting may be enforced using the "Passcode Policy" configuration profile or by a directory server. To set the password policy without a configuration profile, run the following command to save a copy of the current pwpolicy account policy file: /usr/bin/sudo /usr/bin/pwpolicy getaccountpolicies | tail -n +2 > pwpolicy.plist Open the generated file in a text editor. If the file does not yet contain any policy settings, replace The same text can also be used if the line " If the file does contain policy settings, and the line " After saving the file and exiting to the command prompt, run the following command to load the new policy file: /usr/bin/sudo /usr/bin/pwpolicy setaccountpolicies pwpolicy.plist Note: Updates to password restrictions must be thoroughly evaluated in a test environment. Mistakes in configuration may block password change and local user creation operations, as well as, lock out all local users, including administrators. |