The mobile operating system must enforce a minimum length for the device unlock password.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33005	SRG-OS-000078-MOS-000052	SV-43403r1_rule		Medium

Description
Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many times an attempt to crack the password, how quickly the adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space.

STIG	Date
Mobile Operating System Security Requirements Guide	2012-10-01

Details

Check Text ( C-41302r1_chk )
Review the mobile operating system configuration to determine if the device enforces a minimum length for the device unlock password. For device unlock on mobile operating systems with no access to sensitive or classified information, the requirement is a minimum of 4 numbers. For access to security containers and mobile devices with sensitive information, the minimum length is 8 with complexity. If the device does not enforce a minimum length for the device unlock password, this is a finding.

Check Text ( C-41302r1_chk )

Review the mobile operating system configuration to determine if the device enforces a minimum length for the device unlock password. For device unlock on mobile operating systems with no access to sensitive or classified information, the requirement is a minimum of 4 numbers. For access to security containers and mobile devices with sensitive information, the minimum length is 8 with complexity. If the device does not enforce a minimum length for the device unlock password, this is a finding.

Fix Text (F-36917r1_fix)
Configure the mobile operating system to enforce a minimum length for the device unlock password.