Enforce a minimum password length for enhanced security.
389-AC-006 - severity: high
| Field | Value |
|---|---|
| Control ID | 389-AC-006 |
| Severity | high |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | IA-5(1) |
| DISA SRG | SRG-APP-000164 |
Rationale¶
Password length is the most impactful single complexity control: each additional character multiplies the search space an attacker must traverse, making brute-force attacks exponentially more expensive regardless of the cracking hardware available. Short passwords, even those that satisfy character-class requirements, can be exhaustively searched in minutes with modern GPU rigs or distributed cracking infrastructure. DISA SRG-APP-000164 mandates a minimum of 15 characters for covered applications, recognizing that length provides stronger protection than character-class rules alone. NIST SP 800-63B further recommends supporting passphrases of up to 64 characters. The passwordMinLength attribute is enforced independently of passwordCheckSyntax (389-AC-001), so this control remains effective even if syntax checking is temporarily disabled, providing a defense-in- depth baseline.
Check¶
Verify that the minimum password length is set to 15 characters or more.
dsconf <instance> pwpolicy get | grep -i passwordminlength
Expected: passwordMinLength: 15
Remediation¶
Set the minimum password length to 15 characters in the global password policy.
dsconf <instance> pwpolicy set --pwdminlen=15
References¶
Implementation Notes¶
The minimum length check is enforced by the password policy engine regardless of whether syntax checking (passwordCheckSyntax) is enabled; it is an independent attribute. Set the value via --pwdminlen=15; the server will reject any password-change attempt where the new password length is below this threshold. For passphrases (which may consist entirely of lowercase words), consider raising the minimum to 20 or more characters in environments that permit passphrase-style passwords, as length compensates for reduced character-class diversity. Subtree- and user-level policies can override this value; audit with dsconf <instance> pwpolicy list to confirm no override sets a lower limit.