Passwords do not meet complexity requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-7961	DSN13.06	SV-8447r1_rule	ECSC-1 IAIA-1 IAIA-2	Low

Description
Requirement: The IAO will ensure that passwords are required and contain at a minimum, a case sensitive, eight-character mix of upper-case letters, lower-case letters, numbers, and special characters, including at least one of each (e.g., emPagd2! Devices not protected with strong password schemes provide the opportunity for anyone to crack the password thus gaining access to the device and causing system or information damage, or denial of service. By requiring passwords to be eight non-repeating characters in length, contain numbers, upper and lower case characters, and a special character, the probability of password guessing is mitigated.

Description

Requirement: The IAO will ensure that passwords are required and contain at a minimum, a case sensitive, eight-character mix of upper-case letters, lower-case letters, numbers, and special characters, including at least one of each (e.g., emPagd2! Devices not protected with strong password schemes provide the opportunity for anyone to crack the password thus gaining access to the device and causing system or information damage, or denial of service. By requiring passwords to be eight non-repeating characters in length, contain numbers, upper and lower case characters, and a special character, the probability of password guessing is mitigated.

STIG	Date
Defense Switched Network STIG	2015-01-02

Details

Check Text ( C-7372r1_chk )
Have the IAO or SA demonstrate compliance with the requirement; minimally on a sampling of the related or effected devices. Inspect configuration files as applicable.

Fix Text (F-7536r1_fix)
Enforce a password policy to ensure complex passwords. Configure the system to require passwords to be eight non-repeating characters in length, contain numbers, upper and lower case characters, and a special character, if technically feasible.