UCF STIG Viewer Logo

The mobile operating system must enforce a minimum length for the device unlock password.


Overview

Finding ID Version Rule ID IA Controls Severity
KNOX-01-000200 KNOX-01-000200 KNOX-01-000200_rule Medium
Description
Password complexity, or strength, is a measure of the effectiveness of a password in resisting guessing and brute force attacks. The ability to crack a password is a function of how many times an attempt to crack the password, how quickly the adversary can do each attempt, and the size of the password space. The longer the minimum length of the password is, the larger the password space.
STIG Date
Samsung Knox Android 1.0 STIG 2013-05-03

Details

Check Text ( C-KNOX-01-000200_chk )
This check procedure is performed on both the MDM Administration Console and the Samsung Knox Android device.

Note: For device unlock on mobile operating systems with no access to sensitive or classified information, the password length must be at least four digits. For mobile devices that store, process, or transmit sensitive information, the password length must be a minimum of 8 characters.

Check that the appropriate setting is configured on the MDM server.

For example, on the Fixmo Sentinel Administration Console:
1. Ask the MDM administrator to display the "Min Length" setting in the "Android Password Restrictions" rule.
2. Verify the value of the setting is the same or greater than the required length.

On the Samsung Knox Android device:
1. Open the device settings.
2. Select "Lock screen".
3. Select "Screen lock".
4. Enter current password.
5. Select Password.
6. Attempt to enter a password with fewer characters than the required length.

If the configured value of the "Min Length" setting is less than the required length or if MOS accepts a password less than the required length, this is a finding.
Fix Text (F-KNOX-01-000200_fix)
Configure the mobile operating system to enforce a minimum length for the device unlock password.

For example, on the Fixmo Sentinel Administration Console, set the "Min Length" value to 8 or greater in the "Android Password Restrictions" rule.