The mobile operating system must disallow the device unlock password from containing fewer than a specified minimum number of lower case alphabetic characters.
Password complexity or strength refers to how difficult it is to determine a password using a dictionary or brute force attack. Setting minimum numbers of certain types of characters increases password complexity, and therefore makes it more difficult for an adversary to discover the password. In the DoD, the expectation is that the setting will range from a minimum of 1 to 2 lower case characters in the device unlock password. The parameter should be selected based on a risk assessment that weighs factors, such as the environments the device will be located and operational requirements for users to access data in a timely manner.
This check procedure is performed on both the MDM Administration Console and the Samsung Knox Android device.
Check that the appropriate setting is configured on the MDM server.
For example, on the Fixmo Sentinel Administration Console: 1. Ask the MDM administrator to display the "Min Lowercase" setting in the "Android Honeycomb Password Restrictions" rule. 2. Verify the value of the setting is 1 or greater.
On the Samsung Knox Android device: 1. Open the device settings. 2. Select "Lock screen". 3. Select "Screen lock". 4. Enter current password. 5. Select "Password". 6. Attempt to enter a password that does not contain any lowercase alphabetic characters.
If the configured value of "Min Lowercase" is not 1 or greater on the MDM console, or if the MOS accepts a password with no lowercase alphabetic characters, this is a finding.
Fix Text (F-KNOX-02-000600_fix)
Configure the mobile operating system to disallow the device unlock password from containing fewer than a specified minimum number of lower case alphabetic characters.
For example, on the Fixmo Sentinel Administration Console, set the "Min Lowercase" value to 1 or more in the "Android Honeycomb Password Restrictions" rule.