UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The application server must prohibit password reuse for the organization defined number of generations.


Overview

Finding ID Version Rule ID IA Controls Severity
V-35311 SRG-APP-000165-AS-000113 SV-46598r1_rule Medium
Description
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. However, if the application server allows the user to reuse their password when that password has exceeded its defined lifetime, the end result is a defacto reuse of an existing password. App servers have the capability to utilize LDAP, certificates (tokens), or user IDs and passwords in order to authenticate. When the AS utilizes user IDs and passwords, the AS must prohibit the reuse of the user's password for the organization defined number of password changes.
STIG Date
Application Server Security Requirements Guide 2013-01-08

Details

Check Text ( C-43681r2_chk )
Review AS documentation and configuration to determine if the AS prohibits password reuse for the defined number of password changes. If the AS is not configured to prohibit password reuse for the defined number of password changes, or is not configured to utilize a centralized user store that meets this requirement, this is a finding.
Fix Text (F-39857r1_fix)
Configure the AS to prohibit password reuse for the organization defined number of generations.