search cancel

The DBMS must enforce the DoD standards for password complexity and lifetime

book

Article ID: 237988

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

If DBMS authentication, using passwords, is employed, the DBMS must enforce the DoD standards for password complexity and lifetime.  

Review the DBMS settings relating to password complexity. Determine whether the following rules are enforced. If any are not, this is a finding.
a. minimum of 15 characters, including at least one of each of the following character sets:
- Upper-case
- Lower-case
- Numerics
- Special characters (e.g., ~ ! @ # $ % ^ & * ( ) _ + = - ' [ ] / ? > <)
b. Minimum number of characters changed from previous password: 50 percent of the minimum password length; that is, eight

Review the DBMS settings relating to password lifetime. Determine whether the following rules are enforced. If any are not, this is a finding.
a. Password lifetime limits for interactive accounts: Minimum 24 hours, maximum 60 days
b. Password lifetime limits for non-interactive accounts: Minimum 24 hours, maximum 365 days
c. Number of password changes before an old one may be reused: Minimum of five

https://www.stigviewer.com/stig/database_security_requirements_guide/2020-03-06/finding/V-61407#:~:text=The%20DoD%20standard%20for%20authentication,and%20lifetime%20must%20be%20implemented.

 

Environment

Dx NetOps Performance Management 21.2.x

Resolution

We support these abilities in SsoConfig:

 

Enforce password requirements (default: Enabled): Enabled
Allow REST to create users with usernames and passwords that match (default: Enabled): Enabled
Minimum password length (default: 8): 8
Password lifespan (default:105 days): 105
Disable password expiration for a specific user:
Enable password expiration for a specific user:
Expire password for a specific user:
Expire all passwords immediately:
Failed login attempts before blocking (default 6): 6
Timeframe for failed login attempts (default 3 minutes): 3
Disable user after failed login attempts (default: Disabled): Enabled
Number of minutes to block IP address after failed login attempts (default: 0 minutes (Disabled)): 0
Block all local user accounts (default: Disabled): Disabled