Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-11947 | GEN000580 | SV-27111r2_rule | IAIA-1 IAIA-2 | Medium |
Description |
---|
The use of longer passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques by increasing the password search space. |
STIG | Date |
---|---|
HP-UX SMSE Security Technical Implementation Guide | 2014-02-28 |
Check Text ( C-28027r4_chk ) |
---|
For Trusted Mode: Check the system password length setting. For Trusted systems, the range of supported values for N is 6 to 80. # grep MIN_PASSWORD_LENGTH /etc/default/security If the MIN_PASSWORD_LENGTH attribute is not set to N=14 or greater, this is a finding. For SMSE: Check the system password length setting. For Standard (non-SMSE enabled) systems, the maximum supported length is N=8. Once the /etc/shadow file is created and long passwords are enabled (may require additional software product installations), check the system password length setting. The LONG_PASSWORD attribute is valid only when the LongPassword11i3 product is installed and the password hash algorithm is different from the traditional DES-based hash algorithm. # egrep "CRYPT_ALGORITHMS_DEPRECATE|CRYPT_DEFAULT|LONG_PASSWORD|MIN_PASSWORD_LENGTH" /etc/default/security /var/adm/userdb/* The following is an example output from the above command: CRYPT_ALGORITHMS_DEPRECATE=__unix__ CRYPT_DEFAULT=6 LONG_PASSWORD=1 MIN_PASSWORD_LENGTH=14 Note: The MIN_PASSWORD_LENGTH attribute may exceed 14 characters. If the attributes CRYPT_ALGORITHMS_DEPRECATE, CRYPT_DEFAULT, LONG_PASSWORD, and MIN_PASSWORD_LENGTH are not set per the above example output, this is a finding. |
Fix Text (F-24374r4_fix) |
---|
For Trusted Mode: Use the SAM/SMH interface to set the system password length attribute “MIN_PASSWORD_LENGTH” to 14 or greater. For SMSE: Note: There may be additional package/bundle updates that must be installed to support attributes in the /etc/default/security file. Install the additional LongPassword11i3 and PHI11i3 product bundles where/as required. Use the SAM/SMH interface (/etc/default/security file) and/or the userdbset command (/var/adm/userdb/* files) to update the attribute(s). See the below example(s): CRYPT_ALGORITHMS_DEPRECATE=__unix__ CRYPT_DEFAULT=6 LONG_PASSWORD=1 MIN_PASSWORD_LENGTH=14 Note: The MIN_PASSWORD_LENGTH attribute must be set greater than or equal to 14. If the "vi" editor was used to update the /etc/default/security file, save the file before exiting the editor. |