UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DBMS must enforce password minimum lifetime restrictions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-32470 SRG-APP-000173-DB-000076 SV-42807r1_rule Medium
Description
Password minimum lifetime is the minimum period of time, (typically in days) a user's password must be in effect before the user can change it. Restricting this setting limits the user's ability to change their password. Passwords need to be changed at specific policy based intervals, however if the application allows the user to immediately and continually change their password then the password could be repeatedly changed in a short period of time defeating the organizations policy regarding password reuse. Not enforcing password minimum lifetime restrictions would allow users to keep using the same password repeatedly by immediately changing their password X number of times. This would effectively negate password policy.
STIG Date
Database Security Requirements Guide 2012-07-02

Details

Check Text ( C-40908r1_chk )
Review DBMS settings and function logic or have the DBA demonstrate a password change to ensure minimum lifetime restrictions exist and are enforced. If minimum lifetime restrictions do not exist, this is a finding.
Fix Text (F-36385r1_fix)
Define, configure, and test a password verify feature or function that authenticates passwords on change to ensure changes to passwords fall outside of minimum lifetime restrictions.