Interesting. Not looking forward to the backlash on implementing that one. Trevor
On Fri, Jul 24, 2015 at 2:56 PM, Shawn Wells <[email protected]> wrote: > Unfortunately, DISA now requires that 15 of the characters differ between > passwords. > > Ref: https://github.com/OpenSCAP/scap-security-guide/issues/91 > > Awkwardly citing the same requirement (SRG-OS-000072), of which the full > text is: > >> The operating system must require the change of at least 15 of the total >> number of characters when passwords are changed. >> >> If the operating system allows the user to consecutively reuse extensive >> portions of passwords, this increases the chances of password compromise by >> increasing the window of opportunity for attempts at guessing and >> brute-force attacks. >> >> The number of changed characters refers to the number of changes required >> with respect to the total number of positions in the current password. In >> other words, characters may be the same within the two passwords; however, >> the positions of the like characters must be different. >> > > > > > > > On 7/24/15 2:44 PM, Arnold, Paul C CTR USARMY PEO STRI (US) wrote: > >> The DoD states 50% of the minimum password length, which rounds up to 8 >> and coincides with OS-SRG v1r2 (SRG-OS-000072). The SSG also applies to >> systems outside the DoD, which may dictate some initial/default rules. >> >> However, 15 seems to be too high for a default parameter. >> >> Regards, >> -- >> Paul C. Arnold >> IT Systems Engineer >> Cole Engineering Services, Inc. >> >> ________________________________________ >> From: [email protected] [ >> [email protected]] on behalf of Shaw, >> Ray V CTR USARMY ARL (US) [[email protected]] >> Sent: Friday, July 24, 2015 02:30 PM >> To: scap-security-guide [[email protected]] >> Subject: difok value in stig-rhel7-server-upstream profile >> >> RHEL/7/input/profiles/stig-rhel7-server-upstream.xml has the following: >> >> <refine-value idref="var_password_pam_difok" selector="15" /> >> >> Should this be changed from 15 to 4? The help text indicates that the >> DoD requirement is 4, and other documentation seems to support this. >> >> -- >> Ray Shaw (Contractor, STG) >> Army Research Laboratory >> CISD, Unix Support >> -- >> SCAP Security Guide mailing list >> [email protected] >> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide >> https://github.com/OpenSCAP/scap-security-guide/ >> > > -- > Shawn Wells > Director, Innovation Programs > [email protected] | 443.534.0130 > @shawndwells > > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 -- This account not approved for unencrypted proprietary information --
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
