The mobile operating system must disallow the device unlock password from containing less than an organizationally-defined minimum number of upper case alphabetic characters.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-32996 | SRG-OS-000069-MOS-000044 | SV-43394r2_rule | Medium |
| Description |
|---|
| Password complexity or strength refers to how difficult it is to determine a password using a dictionary or brute force attack. Setting minimum numbers of certain types of characters increases password complexity, and therefore makes it more difficult for an adversary to discover the password. In the DoD, the expectation is that the setting will range from a minimum of 1 to 2 upper case alphabetic characters in the device unlock password. The parameter should be selected based on a risk assessment that weighs factors, such as the environments the device will be located and operational requirements for users to access data in a timely manner. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41293r2_chk ) |
|---|
| Review the mobile operating system password complexity configuration settings to determine if the device unlock password requires an organizationally-defined minimum number of upper case alphabetic characters. If password complexity configuration settings do not require the device unlock password to have this minimum number of upper case alphabetic characters, this is a finding. |
| Fix Text (F-36908r2_fix) |
|---|
| Configure the mobile operating system to prohibit the device unlock password from containing fewer than an organizationally-defined minimum number of upper case alphabetic characters. |