Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-33004 | SRG-OS-000077-NA | SV-43402r3_rule | Low |
Description |
---|
Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The mobile operating system must prohibit a user from reusing any of the last five previously used device unlock passwords. Rationale for non-applicability: Changing passwords regularly prevents an attacker who has compromised the password from re-using it to regain access. This is an unlikely scenario on a mobile device because these devices do not have a remote logon capability that would facilitate either stealth use of the device or a brute force or dictionary password attack. Wiping the device after 10 unsuccessful logon attempts mitigates the risk of a password attack far more effectively than a password rotation scheme. Additionally, NSA guidance for CMDs no longer requires password aging and password history settings. NSA guidance for CMDs no longer requires password aging and password history settings. |
STIG | Date |
---|---|
Mobile Operating System Security Requirements Guide | 2013-07-03 |
Check Text ( C-41301r2_chk ) |
---|
Review the mobile operating system configuration for prohibiting a user from reusing any of the last five previously used device unlock passwords. If the mobile operating system allows a user from reusing an organizationally-defined number of previously used device unlock passwords, this is a finding. |
Fix Text (F-36916r2_fix) |
---|
Configure the mobile operating system to prohibit a user from reusing an organizationally-defined number of previously used device unlock passwords. |