UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system must require that passwords contain a minimum of 14 characters.


Overview

Finding ID Version Rule ID IA Controls Severity
V-11947 GEN000580 SV-27111r2_rule IAIA-1 IAIA-2 Medium
Description
The use of longer passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques by increasing the password search space.
STIG Date
HP-UX SMSE Security Technical Implementation Guide 2014-02-28

Details

Check Text ( C-28027r4_chk )
For Trusted Mode:
Check the system password length setting. For Trusted systems, the range of supported values for N is 6 to 80.
# grep MIN_PASSWORD_LENGTH /etc/default/security

If the MIN_PASSWORD_LENGTH attribute is not set to N=14 or greater, this is a finding.

For SMSE:
Check the system password length setting. For Standard (non-SMSE enabled) systems, the maximum supported length is N=8. Once the /etc/shadow file is created and long passwords are enabled (may require additional software product installations), check the system password length setting. The LONG_PASSWORD attribute is valid only when the LongPassword11i3 product is installed and the password hash algorithm is different from the traditional DES-based hash algorithm.
# egrep "CRYPT_ALGORITHMS_DEPRECATE|CRYPT_DEFAULT|LONG_PASSWORD|MIN_PASSWORD_LENGTH" /etc/default/security /var/adm/userdb/*

The following is an example output from the above command:
CRYPT_ALGORITHMS_DEPRECATE=__unix__
CRYPT_DEFAULT=6
LONG_PASSWORD=1
MIN_PASSWORD_LENGTH=14

Note: The MIN_PASSWORD_LENGTH attribute may exceed 14 characters.

If the attributes CRYPT_ALGORITHMS_DEPRECATE, CRYPT_DEFAULT, LONG_PASSWORD, and MIN_PASSWORD_LENGTH are not set per the above example output, this is a finding.
Fix Text (F-24374r4_fix)
For Trusted Mode:
Use the SAM/SMH interface to set the system password length attribute “MIN_PASSWORD_LENGTH” to 14 or greater.

For SMSE:
Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file.

Install the additional LongPassword11i3 and PHI11i3 product bundles where/as required. Use the SAM/SMH interface (/etc/default/security file) and/or the userdbset command (/var/adm/userdb/* files) to update the attribute(s). See the below example(s):
CRYPT_ALGORITHMS_DEPRECATE=__unix__
CRYPT_DEFAULT=6
LONG_PASSWORD=1
MIN_PASSWORD_LENGTH=14

Note: The MIN_PASSWORD_LENGTH attribute must be set greater than or equal to 14.
If the "vi" editor was used to update the /etc/default/security file, save the file before exiting the editor.