UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DNS implementation must enforce the number of characters changed when passwords are changed.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34110 SRG-NET-000159-DNS-000098 SV-44563r1_rule Medium
Description
Passwords need to be changed at specific policy based intervals to avoid almost certain compromise. Any password, no matter how complex, can eventually be cracked and, therefore, must be changed frequently. However, if users are allowed to change a password just slightly, without changing most of the characters, and if that password were to be compromised, it would take very little on the hacker's behalf to determine what the new password is. If a malicious user has obtained an older password associated with a user, and the authorized user only changes one or two characters each time, it will require much less in the way of resources and time for the unauthorized or malicious user to figure out new passwords.
STIG Date
Domain Name System (DNS) Security Requirements Guide 2012-10-24

Details

Check Text ( C-42070r1_chk )
Review the DNS account management configuration settings to determine whether the DNS enforces the requirement to change a minimum organization defined number of characters for password changes. If not, this is a finding.

The account management functions will be performed by the name server application if the capability exists. If the capability does not exist the underlying platform's account management system may be used.
Fix Text (F-38020r1_fix)
Configure the DNS implementation settings to force a minimum organization defined number of characters to change when a password is changed.