[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244411

 
 

909

 
 

193363

 
 

277

Paid content will be excluded from the download.


Download | Alert*
OVAL

Minimum password length

ID: oval:org.secpod.oval:def:36509Date: (C)2016-08-05   (M)2023-12-13
Class: COMPLIANCEFamily: windows




This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0. Default: 7 on domain controllers. 0 on stand-alone servers. Note: By default, member computers follow the configuration of their domain controllers. Counter Measure: Configure the Minimum password length setting to a value of 14 or more. If the number of characters is set to 0, no password will be required. In most environments, we recommend a 14-character password because it is long enough to provide adequate security but not too difficult for users to easily remember. This configuration provides adequate defense against a brute force attack. Using the Passwords must meet complexity requirements setting in addition to the Minimum password length setting helps reduce the possibility of a dictionary attack. Potential Impact: Requirements for extremely long passwords can actually decrease the security of an organization, because users might leave the information in an insecure location or lose it. If very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of help desk calls. If your organization has issues with forgotten passwords due to password length requirements, consider teaching your users about pass phrases, which are often easier to remember and, due to the larger number of character combinations, much harder to discover. Note: Older versions of Windows such as Windows 98 and Windows NT 4.0 do not support passwords that are longer than 14 characters. Computers that run these older operating systems are unable to authenticate with computers or domains that use accounts that require long passwords. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length (2) REG: ### (3) WMI: root\rsop\computer#RSOP_SecuritySettingNumeric#Setting#KeyName = 'MinimumPasswordLength' And precedence=1

Platform:
Microsoft Windows 10
Reference:
CCE-41679-2
CCE    1
CCE-41679-2
XCCDF    6
xccdf_org.secpod_benchmark_HIPAA_45CFR_164_Windows_10
xccdf_org.secpod_benchmark_NIST_800_53_r4_Windows_10
xccdf_org.secpod_benchmark_PCI_3_2_Windows_10
xccdf_org.secpod_benchmark_SecPod_Windows_10
...

© SecPod Technologies