Re: difok value in stig-rhel7-server-upstream profile

Fri, 24 Jul 2015 11:56:48 -0700

Unfortunately, DISA now requires that 15 of the characters differ between passwords. 

Ref: https://github.com/OpenSCAP/scap-security-guide/issues/91
Awkwardly citing the same requirement (SRG-OS-000072), of which the full text is:
The operating system must require the change of at least 15 of the total number of characters when passwords are changed.
If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.
The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. 






On 7/24/15 2:44 PM, Arnold, Paul C CTR USARMY PEO STRI (US) wrote:

The DoD states 50% of the minimum password length, which rounds up to 8 and 
coincides with OS-SRG v1r2 (SRG-OS-000072). The SSG also applies to systems 
outside the DoD, which may dictate some initial/default rules.

However, 15 seems to be too high for a default parameter.

Regards,
--
Paul C. Arnold
IT Systems Engineer
Cole Engineering Services, Inc.

________________________________________
From: [email protected] 
[[email protected]] on behalf of Shaw, Ray V 
CTR USARMY ARL (US) [[email protected]]
Sent: Friday, July 24, 2015 02:30 PM
To: scap-security-guide ‎[[email protected]]‎
Subject: difok value in stig-rhel7-server-upstream profile

RHEL/7/input/profiles/stig-rhel7-server-upstream.xml has the following:

<refine-value idref="var_password_pam_difok" selector="15" />

Should this be changed from 15 to 4?  The help text indicates that the DoD 
requirement is 4, and other documentation seems to support this.

--
Ray Shaw (Contractor, STG)
Army Research Laboratory
CISD, Unix Support
--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/


--
Shawn Wells
Director, Innovation Programs
[email protected] | 443.534.0130
@shawndwells

--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
https://github.com/OpenSCAP/scap-security-guide/

Reply via email to