UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DBMS must support organizational requirements to enforce the number of characters that get changed when passwords are changed.


Overview

Finding ID Version Rule ID IA Controls Severity
V-32467 SRG-APP-000170-DB-000073 SV-42804r1_rule Medium
Description
Passwords need to be changed at specific policy based intervals. If the information system or application allows the user to consecutively reuse extensive portions of their password when they change their password, the end result is a password that has not had enough elements changed to meet the policy requirements. Changing passwords frequently can thwart password-guessing attempts or re-establish protection of a compromised DBMS account. Minor changes to passwords may not accomplish this as password guessing may be able to continue to build on previous guesses or the new password may be easily guessed using the old password.
STIG Date
Database Security Requirements Guide 2012-07-02

Details

Check Text ( C-40905r1_chk )
Check DBMS settings to determine whether the DBMS enforces the requirement to change a minimum organization defined number of characters for password changes. If not, this is a finding.
Fix Text (F-36382r1_fix)
Modify DBMS settings to force a minimum organization defined number of characters to change when a password is changed.