New passwords should be required to differ from old passwords by more than four characters.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-3815 | DG0071-SQLServer9 | SV-24220r1_rule | IAIA-1 IAIA-2 | Medium |
| Description |
|---|
| Changing passwords frequently can thwart password-guessing attempts or re-establish protection of a compromised DBMS account. Minor changes to passwords may not accomplish this as password guessing may be able to continue to build on previous guesses or the new password may be easily guessed using the old password. |
| STIG | Date |
|---|---|
| Microsoft SQL Server 2005 Instance Security Technical Implementation Guide | 2015-06-16 |
Details
| Check Text ( C-13747r1_chk ) |
|---|
| If no DBMS accounts authenticate using passwords, this check is Not a Finding. If DBMS uses Windows Authentication only, this check is Not a Finding. If the DBMS supports this functionality, review the settings and function logic or have the DBA demonstrate a password change to ensure that the function requires new passwords to differ from old passwords by more than four characters. If the review or the demonstration reveals that passwords are not checked for a difference of more than four characters, this is a Finding. NOTE: Ensure password policy enforcement is enabled for SQL Server accounts per Check DG0079. |
| Fix Text (F-14850r1_fix) |
|---|
| Define, configure and test a password verify feature or function that authenticates passwords on change to ensure that new password differs from old password by more than four characters. |