The application server must prohibit password reuse for the organization defined number of generations.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35311 | SRG-APP-000165-AS-000113 | SV-46598r1_rule | Medium |
| Description |
|---|
| Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. To meet password policy requirements, passwords need to be changed at specific policy-based intervals. However, if the application server allows the user to reuse their password when that password has exceeded its defined lifetime, the end result is a defacto reuse of an existing password. App servers have the capability to utilize LDAP, certificates (tokens), or user IDs and passwords in order to authenticate. When the AS utilizes user IDs and passwords, the AS must prohibit the reuse of the user's password for the organization defined number of password changes. |
| STIG | Date |
|---|---|
| Application Server Security Requirements Guide | 2013-01-08 |
Details
| Check Text ( C-43681r2_chk ) |
|---|
| Review AS documentation and configuration to determine if the AS prohibits password reuse for the defined number of password changes. If the AS is not configured to prohibit password reuse for the defined number of password changes, or is not configured to utilize a centralized user store that meets this requirement, this is a finding. |
| Fix Text (F-39857r1_fix) |
|---|
| Configure the AS to prohibit password reuse for the organization defined number of generations. |