The application server must enforce minimum password length.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35310	SRG-APP-000164-AS-000112	SV-46597r1_rule		Medium

Description
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one of several factors that helps to determine strength and how long it takes to crack a password. The shorter the password is, the lower the number of possible combinations that need to be tested before the password is compromised. Application servers provide either a local user store or they integrate with enterprise user stores like LDAP. When the AS provides the user store and enforces authentication, the AS must enforce minimum password length.

Description

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one of several factors that helps to determine strength and how long it takes to crack a password. The shorter the password is, the lower the number of possible combinations that need to be tested before the password is compromised. Application servers provide either a local user store or they integrate with enterprise user stores like LDAP. When the AS provides the user store and enforces authentication, the AS must enforce minimum password length.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-43679r1_chk )
Review AS documentation and configuration to determine if the AS enforces minimum password length. If the AS is not configured to minimum password length, or is not configured to utilize a centralized user store that meets this requirement, this is a finding.

Fix Text (F-39856r1_fix)
Configure the AS to enforce the minimum password length when creating or changing a password.