Require passwords to contain at least one lowercase letter.
389-AC-011 - severity: high
| Field | Value |
|---|---|
| Control ID | 389-AC-011 |
| Severity | high |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | IA-5(1) |
| DISA SRG | SRG-APP-000167 |
Rationale¶
Requiring at least one lowercase letter, in combination with the uppercase requirement (389-AC-010) and the other character-class controls (389-AC-012, 389-AC-013), prevents single-case passwords that are trivially handled by case-insensitive dictionary attacks and keyboard-walk patterns. An all-caps credential, for example, reduces the effective search space to roughly the same size as an all-lowercase one, offering no real security advantage over either. Enforcing case diversity across the password string ensures attackers must account for mixed-case variants in their enumeration strategy, raising cracking cost. DISA SRG-APP-000167 mandates at least one lowercase character for covered applications. As with all four character-class controls in this suite, this requirement is silently inactive unless passwordCheckSyntax is on (389-AC-001); verify that prerequisite before auditing this control.
Check¶
Verify that the minimum lowercase character requirement is set to 1 or more.
dsconf <instance> pwpolicy get | grep -i passwordminlowers
Expected: passwordMinLowers: 1
Remediation¶
Require at least one lowercase letter in the global password policy.
dsconf <instance> pwpolicy set --pwdminlowers=1
References¶
Implementation Notes¶
--pwdminlowers=1 sets the minimum count of ASCII lowercase characters (a-z) required in a password. This setting has no effect unless passwordCheckSyntax is on (see 389-AC-001) - apply and verify 389-AC-001 first. The dsconf pwpolicy get output reports this as passwordMinLowers (LDAP attribute name). Subtree- and user-level policies can override this value; audit with dsconf <instance> pwpolicy list to ensure no policy at a lower level sets a more permissive value. Changes apply only to future password-change and password-set operations; existing stored passwords are not retroactively validated.