The DBMS must support organizational requirements to enforce the number of characters that get changed when passwords are changed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32467	SRG-APP-000170-DB-000073	SV-42804r1_rule		Medium

Description
Passwords need to be changed at specific policy based intervals. If the information system or application allows the user to consecutively reuse extensive portions of their password when they change their password, the end result is a password that has not had enough elements changed to meet the policy requirements. Changing passwords frequently can thwart password-guessing attempts or re-establish protection of a compromised DBMS account. Minor changes to passwords may not accomplish this as password guessing may be able to continue to build on previous guesses or the new password may be easily guessed using the old password.

Description

Passwords need to be changed at specific policy based intervals. If the information system or application allows the user to consecutively reuse extensive portions of their password when they change their password, the end result is a password that has not had enough elements changed to meet the policy requirements. Changing passwords frequently can thwart password-guessing attempts or re-establish protection of a compromised DBMS account. Minor changes to passwords may not accomplish this as password guessing may be able to continue to build on previous guesses or the new password may be easily guessed using the old password.

STIG	Date
Database Security Requirements Guide	2012-07-02

Details

Check Text ( C-40905r1_chk )
Check DBMS settings to determine whether the DBMS enforces the requirement to change a minimum organization defined number of characters for password changes. If not, this is a finding.

Fix Text (F-36382r1_fix)
Modify DBMS settings to force a minimum organization defined number of characters to change when a password is changed.