The operating system must prohibit password reuse for the organization-defined number of generations.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33004 | SRG-OS-000077-NA | SV-43402r3_rule | Low |
| Description |
|---|
| Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The mobile operating system must prohibit a user from reusing any of the last five previously used device unlock passwords. Rationale for non-applicability: Changing passwords regularly prevents an attacker who has compromised the password from re-using it to regain access. This is an unlikely scenario on a mobile device because these devices do not have a remote logon capability that would facilitate either stealth use of the device or a brute force or dictionary password attack. Wiping the device after 10 unsuccessful logon attempts mitigates the risk of a password attack far more effectively than a password rotation scheme. Additionally, NSA guidance for CMDs no longer requires password aging and password history settings. NSA guidance for CMDs no longer requires password aging and password history settings. |
| STIG | Date |
|---|---|
| Mobile Operating System Security Requirements Guide | 2013-07-03 |
Details
| Check Text ( C-41301r2_chk ) |
|---|
| Review the mobile operating system configuration for prohibiting a user from reusing any of the last five previously used device unlock passwords. If the mobile operating system allows a user from reusing an organizationally-defined number of previously used device unlock passwords, this is a finding. |
| Fix Text (F-36916r2_fix) |
|---|
| Configure the mobile operating system to prohibit a user from reusing an organizationally-defined number of previously used device unlock passwords. |