Require passwords to contain at least one uppercase letter.
389-AC-010 - severity: high
| Field | Value |
|---|---|
| Control ID | 389-AC-010 |
| Severity | high |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | IA-5(1) |
| DISA SRG | SRG-APP-000166 |
Rationale¶
Requiring at least one uppercase letter expands the effective character set an attacker must search, raising the cost of both brute-force enumeration and dictionary-based attacks that target all-lowercase or single-case password patterns. Without multi-class enforcement, a large portion of real-world passwords drawn from common wordlists can be cracked without ever testing a mixed-case variant. DISA SRG-APP-000166 mandates at least one uppercase character for covered applications; NIST IA-5(1) requires complexity rules that span multiple character classes. This is the first of four character-class controls (see also 389-AC-011 through 389-AC-013) that together enforce multi-class composition; critically, all four character-class minimums are enforced only when password syntax checking is active (389-AC-001) - this control has no effect unless passwordCheckSyntax is on.
Check¶
Verify that the minimum uppercase character requirement is set to 1 or more.
dsconf <instance> pwpolicy get | grep -i passwordminuppers
Expected: passwordMinUppers: 1
Remediation¶
Require at least one uppercase letter in the global password policy.
dsconf <instance> pwpolicy set --pwdminuppers=1
References¶
Implementation Notes¶
--pwdminuppers=1 sets the minimum count of ASCII uppercase characters (A-Z) required in a password. This setting has no effect unless passwordCheckSyntax is on (see 389-AC-001) - apply and verify 389-AC-001 first. The dsconf pwpolicy get output reports this as passwordMinUppers (LDAP attribute name). Subtree- and user-level policies can override this value; run dsconf <instance> pwpolicy list to identify any overriding policies and verify they also enforce the uppercase requirement. Changes apply to future password-change and password-set operations; existing passwords are not affected.