Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The application server must enforce minimum password length.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35310 | SRG-APP-000164-AS-000112 | SV-46597r1_rule | Medium |
| Description |
|---|
| Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one of several factors that helps to determine strength and how long it takes to crack a password. The shorter the password is, the lower the number of possible combinations that need to be tested before the password is compromised. Application servers provide either a local user store or they integrate with enterprise user stores like LDAP. When the AS provides the user store and enforces authentication, the AS must enforce minimum password length. |
| STIG | Date |
|---|---|
| Application Server Security Requirements Guide | 2013-01-08 |
Details
| Check Text ( C-43679r1_chk ) |
|---|
| Review AS documentation and configuration to determine if the AS enforces minimum password length. If the AS is not configured to minimum password length, or is not configured to utilize a centralized user store that meets this requirement, this is a finding. |
| Fix Text (F-39856r1_fix) |
|---|
| Configure the AS to enforce the minimum password length when creating or changing a password. |