LG Android 6.x must enforce a minimum password length of 6 characters.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-66807	LGA6-20-100201	SV-81297r2_rule		Low

Description
Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise. SFR ID: FMT_SMF_EXT.1.1 #01a

Description

Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many attempts an adversary is permitted, how quickly an adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space. Having a too-short minimum password length significantly reduces password strength, increasing the chance of password compromise and resulting device and data compromise. SFR ID: FMT_SMF_EXT.1.1 #01a

STIG	Date
LG Android 6.x Security Technical Implementation Guide	2019-02-21

Details

Check Text ( C-67457r2_chk )
This validation procedure is performed on both the MDM Administration Console and the LG Android device. On the MDM Console, do the following: 1. Ask the MDM administrator to display the "Password length" setting in the MDM console. 2. In the password policy, verify the setting for the password length equals or is greater than six characters. On the LG Android device: 1. Unlock the device. 2. Navigate to the password entry screen: Settings >> General >> Security (or Fingerprints & security) >> Lock screen >> Select screen lock >> Password >> Set password. 3. Attempt to enter a password with a length less than the required value. If the configured value of the "Password length" setting is less than six characters or if the LG Android device accepts a password of less than six characters, this is a finding.

Check Text ( C-67457r2_chk )

This validation procedure is performed on both the MDM Administration Console and the LG Android device.

On the MDM Console, do the following:

1. Ask the MDM administrator to display the "Password length" setting in the MDM console.
2. In the password policy, verify the setting for the password length equals or is greater than six characters.

On the LG Android device:

1. Unlock the device.
2. Navigate to the password entry screen: Settings >> General >> Security (or Fingerprints & security) >> Lock screen >> Select screen lock >> Password >> Set password.
3. Attempt to enter a password with a length less than the required value.

If the configured value of the "Password length" setting is less than six characters or if the LG Android device accepts a password of less than six characters, this is a finding.

Fix Text (F-72907r2_fix)
Configure the mobile operating system to enforce a minimum password length of six characters or more. On the MDM Administration Console, set the "Password length" value to six or greater.