Ensuring at least 15 password characters are changed
Rule Title: RiOS must require that when a password is changed, the characters are changed in at least 15 of the positions within the password.
STIG ID: RICX-DM-000119
Rule ID: SV-77461r1_rule Severity: CAT II
Vuln ID: V-62971 Class: Unclass
If the application allows the user to consecutively reuse extensive portions of passwords, this feature increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.
The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters might be the same within the two passwords; however, the positions of the like characters must be different.
Verifying at least 15 password characters are changed
Verify that RiOS is configured to require that when a password is changed, the characters are changed in at least 15 of the positions within the password.
1. Connect to the Management Console.
2. Choose Administration > Security: Password Policy to display the Password Policy page.
3. Verify that the Minimum Character Difference Between Passwords is set to 15. If the Minimum Character Difference Between Passwords is not set to 15, this is a security vulnerability finding.
Configuring passwords so that at least 15 password characters are changed
Configure RiOS to require that when a password is changed, the characters are changed in at least 15 of the positions within the password.
1. Connect to the Management Console.
2. Choose Administration > Security: Password Policy to display the Password Policy page.
3. Specify the value of the Minimum Character Difference Between Passwords text box to 15.
4. Click Apply.