The mobile operating system must force the user to change an organizationally-defined minimum number of characters of the device unlock password whenever the passcode is changed.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-32999 | SRG-OS-000072-MOS-000047 | SV-43397r2_rule | Medium |
| Description |
|---|
| If an adversary learns part or all of a password, the adversary can use this information to more easily crack a user's subsequent passwords if the passwords do not differ significantly from one to the next. Requiring a user to change a specified minimum of characters in the password is an effective way of preserving the protection provided by password complexity in this context. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41296r2_chk ) |
|---|
| Review the mobile operating system password complexity configuration settings to determine if the device unlock password requires an organizationally-defined minimum number of characters to be modified whenever the passcode is changed. If password complexity configuration settings do not require an organizationally-defined minimum number of characters to be changed, this is a finding. |
| Fix Text (F-36911r2_fix) |
|---|
| Configure the mobile operating system to enforce an organizationally-defined minimum number of characters to be changed when the device unlock password is changed. |