[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
OVAL

Password must meet complexity requirements

ID: oval:org.secpod.oval:def:36504Date: (C)2016-08-05   (M)2023-12-13
Class: COMPLIANCEFamily: windows




This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: Not contain the user's account name or parts of the user's full name that exceed two consecutive characters * Be at least six characters in length * Contain characters from three of the following four categories: * English uppercase characters (A through Z) * English lowercase characters (a through z) * Base 10 digits (0 through 9) * Non-alphabetic characters (for example, !, $, #, %) Complexity requirements are enforced when passwords are changed or created. Default: Enabled on domain controllers. Disabled on stand-alone servers. Note: By default, member computers follow the configuration of their domain controllers. Counter Measure: Configure the Passwords must meet complexity requirements setting to Enabled and advise users to use a variety of characters in their passwords. When combined with a Minimum password length of 8, this policy setting ensures that the number of different possibilities for a single password is so great that it will be difficult (but not impossible) for a brute force attack to succeed. (If the Minimum password length setting is increased, the average amount of time necessary for a successful attack also increases.) Potential Impact: If the default password complexity configuration is retained, additional help desk calls for locked-out accounts could occur because users might not be accustomed to passwords that contain non-alphabetic characters. However, all users should be able to comply with the complexity requirement with minimal difficulty. If your organization has more stringent security requirements, you can create a custom version of the Passfilt.dll file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper row characters. (Upper row characters are those that require you to hold down the SHIFT key and press any of the digits between 1 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password does not contain common dictionary words or fragments. Also, the use of ALT key character combinations can greatly enhance the complexity of a password. However, such stringent password requirements can result in unhappy users and an extremely busy help desk. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 0128-0159 range. (ALT characters outside of this range can represent standard alphanumeric characters that would not add additional complexity to the password.) Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements (2) REG: ### (3) WMI: root\rsop\computer#RSOP_SecuritySettingBoolean#Setting#KeyName = 'PasswordComplexity' And precedence=1

Platform:
Microsoft Windows 10
Reference:
CCE-42872-2
CCE    1
CCE-42872-2
XCCDF    6
xccdf_org.secpod_benchmark_HIPAA_45CFR_164_Windows_10
xccdf_org.secpod_benchmark_NIST_800_53_r4_Windows_10
xccdf_org.secpod_benchmark_PCI_3_2_Windows_10
xccdf_org.secpod_benchmark_SecPod_Windows_10
...

© SecPod Technologies