The designer will ensure the application has the capability to require account passwords that conform to DoD policy.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6130	APP3320	SV-6130r1_rule	IAIA-1	Medium

Description
Weak passwords can be guessed or easily cracked using various methods. This can potentially lead to unauthorized access to the application.

STIG	Date
Application Security and Development Checklist	2014-12-22

Details

Check Text ( C-2942r1_chk )
Policy: The designer will ensure the application has the capability to require account passwords having a minimum of 15 alphanumeric characters in length. The designer will ensure the application has the capability to require account passwords contain a mix of upper case letters, lower case letters, numbers, and special characters. The Designer will ensure the application has the capability to require account passwords be changed every 60 days or more frequently. The Designer will ensure passwords do not contain personal information such as names, telephone numbers, account names, birthdates, or dictionary words. The Designer will ensure the application has the capability to limit reuse of account passwords within the last 10 password changes. The Designer will ensure the application has the capability to limit user changes to their account passwords once every 24 hours with the exception of privileged or administrative users. The Designer will ensure the application has the capability to require new account passwords differ from the previous password by at least four characters when a password is changed. The IAO will configure the application to ensure account passwords conform to DoD password policy. If the entire authentication process for the application is performed by the operating system (such is the case for a Desktop Application), this check is Not Applicable. First, inventory all the password based authentication processes present in the application. For example, a web server may effectively act as a client when authenticating with a back-end database server. Peer-to-peer processes also are included because each peer still acts in the role of a client or server for particular transactions. Each process must be evaluated separately. If multiple processes must be used for a single authentication attempt, the combination of the processes should be evaluated to ensure this check is fully met. In addition, the authentication may involve a user account database specific to the application or it may involve leveraging the authentication service of an operating system or directory service. 1) If the authentication process involves the presentation of a user account name only, this is a finding. If the authentication is based on passwords, the passwords must have the following characteristics: • A minimum of 15 characters • Include at least one uppercase alphabetic character • Include at least one lowercase alphabetic character • Include at least one non-alphanumeric (special) character • Expire after 60 days • Be different from the previous 10 passwords used • Be changeable by the administrator at any time • Be changeable by the associated user only once in a 24 hour period (for human user accounts) • Not be changeable by users other than the administrator or the user with which the password is associated • Not contain personal information such as names, telephone numbers, account names, birthdates or dictionary words. 2) If the passwords do not have these characteristics, it is a finding. To verify compliance with these requirements, check the configuration of the software that manages the authentication process (e.g., OS, directory, and database or application software) and determine if each of the criteria listed are met. Also sample individual accounts to determine if any of the policy settings are overridden (e.g., password set to never expire). Focus on non-human user accounts, as these are the most likely to violate the stated requirements. Non-human accounts, sometimes known as services accounts, may not be set to expire after 60 days.

Check Text ( C-2942r1_chk )

Policy:

The designer will ensure the application has the capability to require account passwords having a minimum of 15 alphanumeric characters in length. The designer will ensure the application has the capability to require account passwords contain a mix of upper case letters, lower case letters, numbers, and special characters. The Designer will ensure the application has the capability to require account passwords be changed every 60 days or more frequently. The Designer will ensure passwords do not contain personal information such as names, telephone numbers, account names, birthdates, or dictionary words. The Designer will ensure the application has the capability to limit reuse of account passwords within the last 10 password changes. The Designer will ensure the application has the capability to limit user changes to their account passwords once every 24 hours with the exception of privileged or administrative users. The Designer will ensure the application has the capability to require new account passwords differ from the previous password by at least four characters when a password is changed. The IAO will configure the application to ensure account passwords conform to DoD password policy.

If the entire authentication process for the application is performed by the operating system (such is the case for a Desktop Application), this check is Not Applicable.

First, inventory all the password based authentication processes present in the application. For example, a web server may effectively act as a client when authenticating with a back-end database server. Peer-to-peer processes also are included because each peer still acts in the role of a client or server for particular transactions. Each process must be evaluated separately. If multiple processes must be used for a single authentication attempt, the combination of the processes should be evaluated to ensure this check is fully met.

In addition, the authentication may involve a user account database specific to the application or it may involve leveraging the authentication service of an operating system or directory service.

1) If the authentication process involves the presentation of a user account name only, this is a finding.

If the authentication is based on passwords, the passwords must have the following characteristics:
• A minimum of 15 characters
• Include at least one uppercase alphabetic character
• Include at least one lowercase alphabetic character
• Include at least one non-alphanumeric (special) character
• Expire after 60 days
• Be different from the previous 10 passwords used
• Be changeable by the administrator at any time
• Be changeable by the associated user only once in a 24 hour period (for human user accounts)
• Not be changeable by users other than the administrator or the user with which the password is associated
• Not contain personal information such as names, telephone numbers, account names, birthdates or dictionary words.

2) If the passwords do not have these characteristics, it is a finding.

To verify compliance with these requirements, check the configuration of the software that manages the authentication process (e.g., OS, directory, and database or application software) and determine if each of the criteria listed are met. Also sample individual accounts to determine if any of the policy settings are overridden (e.g., password set to never expire). Focus on non-human user accounts, as these are the most likely to violate the stated requirements. Non-human accounts, sometimes known as services accounts, may not be set to expire after 60 days.

Fix Text (F-4422r1_fix)
Enable PKI authentication. Enable the application to require account passwords having a minimum of 15 alphanumeric characters in length. Enable the application to require account passwords contain a mix of upper case letters, lower case letters, numbers, and special characters. Enable the application to require account passwords be changed every 60 days or more frequently. Enable the application to ensure passwords do not contain personal information such as names, telephone numbers, account names, birthdays, or dictionary words. Enable the application to limit reuse of account passwords within the last 10 password changes. Enable the application to limit user changes to their account passwords once every 24 hours with the exception of privileged or administrative users. Enable the application to require new account passwords differ from the previous password by at least four characters when a password is changed. Configure the application to ensure account passwords conform to DoD password policy.

Fix Text (F-4422r1_fix)

Enable PKI authentication.
Enable the application to require account passwords having a minimum of 15 alphanumeric characters in length.
Enable the application to require account passwords contain a mix of upper case letters, lower case letters, numbers, and special characters.
Enable the application to require account passwords be changed every 60 days or more frequently.
Enable the application to ensure passwords do not contain personal information such as names, telephone numbers, account names, birthdays, or dictionary words.
Enable the application to limit reuse of account passwords within the last 10 password changes.
Enable the application to limit user changes to their account passwords once every 24 hours with the exception of privileged or administrative users.
Enable the application to require new account passwords differ from the previous password by at least four characters when a password is changed.
Configure the application to ensure account passwords conform to DoD password policy.