Samsung Android must be configured to not allow passwords that include more than four repeating or sequential characters.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-260441	KNOX-14-710030	SV-260441r950902_rule		Medium

Description
Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier to guess than those that do not. Therefore, disallowing repeating or sequential characters increases password strength and decreases risk. SFR ID: FMT_SMF_EXT.1.1 #1b

STIG	Date
Samsung Android 14 MDFPP 3.3 BYOAD Security Technical Implementation Guide	2024-02-21

Details

Check Text ( C-64171r950900_chk )
Review the configuration to determine if the Samsung Android devices' Work Environment is disallowing passwords containing more than four repeating or sequential characters. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device password policies, verify "minimum password quality" is set to "Numeric(Complex)" or better. On the Samsung Android device, confirm if the user has "One Lock" enabled (Settings >> Security and privacy >> More security settings >> Work profile security >> Use one lock). If "One Lock" is enabled: 1. Open Settings >> Lock screen >> Screen lock type. 2. Enter current password. 3. Tap "PIN". 4. Verify that PINs with more than four repeating or sequential numbers are not accepted. If "One Lock" is disabled: 1. Open Settings >> Security and privacy >> More security settings >> Work profile security >> Work profile lock type. 2. Enter current password. 3. Tap "PIN". 4. Verify that PINs with more than four repeating or sequential numbers are not accepted. If on the management tool "minimum password quality" is not set to "Numeric(Complex)" or better, or on the Samsung Android device a password with more than four repeating or sequential numbers is accepted, this is a finding.

Check Text ( C-64171r950900_chk )

Review the configuration to determine if the Samsung Android devices' Work Environment is disallowing passwords containing more than four repeating or sequential characters.

This validation procedure is performed on both the management tool and the Samsung Android device.

On the management tool, in the device password policies, verify "minimum password quality" is set to "Numeric(Complex)" or better.

On the Samsung Android device, confirm if the user has "One Lock" enabled (Settings >> Security and privacy >> More security settings >> Work profile security >> Use one lock).

If "One Lock" is enabled:
1. Open Settings >> Lock screen >> Screen lock type.
2. Enter current password.
3. Tap "PIN".
4. Verify that PINs with more than four repeating or sequential numbers are not accepted.

If "One Lock" is disabled:
1. Open Settings >> Security and privacy >> More security settings >> Work profile security >> Work profile lock type.
2. Enter current password.
3. Tap "PIN".
4. Verify that PINs with more than four repeating or sequential numbers are not accepted.

If on the management tool "minimum password quality" is not set to "Numeric(Complex)" or better, or on the Samsung Android device a password with more than four repeating or sequential numbers is accepted, this is a finding.

Fix Text (F-64078r950901_fix)
Configure the Samsung Android devices to disallow passwords containing more than four repeating or sequential characters. On the management tool, in the device password policies, set "minimum password quality" to "Numeric(Complex)" or better. If the management tool does not support "Numeric(Complex)" but does support "Numeric", Knox Platform for Enterprise (KPE) can be used to achieve STIG compliance. In this case, configure this policy with value "Numeric" and use an additional KPE policy (innately by the management tool or via KSP) "Maximum Numeric Sequence Length" with value "4".

Fix Text (F-64078r950901_fix)

Configure the Samsung Android devices to disallow passwords containing more than four repeating or sequential characters.

On the management tool, in the device password policies, set "minimum password quality" to "Numeric(Complex)" or better.

If the management tool does not support "Numeric(Complex)" but does support "Numeric", Knox Platform for Enterprise (KPE) can be used to achieve STIG compliance. In this case, configure this policy with value "Numeric" and use an additional KPE policy (innately by the management tool or via KSP) "Maximum Numeric Sequence Length" with value "4".