Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-32467 | SRG-APP-000170-DB-000073 | SV-42804r1_rule | Medium |
Description |
---|
Passwords need to be changed at specific policy based intervals. If the information system or application allows the user to consecutively reuse extensive portions of their password when they change their password, the end result is a password that has not had enough elements changed to meet the policy requirements. Changing passwords frequently can thwart password-guessing attempts or re-establish protection of a compromised DBMS account. Minor changes to passwords may not accomplish this as password guessing may be able to continue to build on previous guesses or the new password may be easily guessed using the old password. |
STIG | Date |
---|---|
Database Security Requirements Guide | 2012-07-02 |
Check Text ( C-40905r1_chk ) |
---|
Check DBMS settings to determine whether the DBMS enforces the requirement to change a minimum organization defined number of characters for password changes. If not, this is a finding. |
Fix Text (F-36382r1_fix) |
---|
Modify DBMS settings to force a minimum organization defined number of characters to change when a password is changed. |