The operating system must enforce maximum password lifetime restrictions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33003	SRG-OS-000076-NA	SV-43401r3_rule		Low

Description
Passwords need to be changed at specific policy based intervals. Any password no matter how complex can eventually be cracked. Rationale for non-applicability: Changing passwords regularly prevents an attacker who has compromised the password from re-using it to regain access. This is an unlikely scenario on a mobile device because these devices do not have a remote logon capability that would facilitate either stealth use of the device or a brute force or dictionary password attack. Wiping the device after 10 unsuccessful logon attempts mitigates the risk of a password attack more effectively than a password rotation scheme. Additionally, NSA guidance for CMDs no longer requires password aging and password history settings. NSA guidance for CMDs no longer requires password aging and password history settings.

Description

Passwords need to be changed at specific policy based intervals. Any password no matter how complex can eventually be cracked. Rationale for non-applicability: Changing passwords regularly prevents an attacker who has compromised the password from re-using it to regain access. This is an unlikely scenario on a mobile device because these devices do not have a remote logon capability that would facilitate either stealth use of the device or a brute force or dictionary password attack. Wiping the device after 10 unsuccessful logon attempts mitigates the risk of a password attack more effectively than a password rotation scheme. Additionally, NSA guidance for CMDs no longer requires password aging and password history settings. NSA guidance for CMDs no longer requires password aging and password history settings.

STIG	Date
Mobile Operating System Security Requirements Guide	2013-07-03

Details

Check Text ( C-41300r2_chk )
Review the mobile operating system configuration for an organizationally-defined maximum password age setting. If the mobile device does not contain or access sensitive or classified information, this requirement does not apply. If the mobile operating system does not enforce an organizationally-defined maximum password age, this is a finding. NOTE: The IA control only needs to be enforced in product level STIGs if there is a need for such rotation based on the expected operational use of the device.

Check Text ( C-41300r2_chk )

Review the mobile operating system configuration for an organizationally-defined maximum password age setting. If the mobile device does not contain or access sensitive or classified information, this requirement does not apply. If the mobile operating system does not enforce an organizationally-defined maximum password age, this is a finding.

NOTE: The IA control only needs to be enforced in product level STIGs if there is a need for such rotation based on the expected operational use of the device.

Fix Text (F-36915r2_fix)
Configure the mobile operating system to have an organizationally-defined maximum lifetime for the device unlock password.