Require passwords to contain at least one numeric character.
389-AC-012 - severity: high
| Field | Value |
|---|---|
| Control ID | 389-AC-012 |
| Severity | high |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | IA-5(1) |
| DISA SRG | SRG-APP-000168 |
Rationale¶
Purely alphabetic passwords, even long ones, are vulnerable to dictionary attacks that enumerate common words, names, and phrases without numeric variants. Requiring at least one digit forces attackers to expand their candidate set to include alphanumeric combinations, increasing the cost of dictionary and hybrid brute-force attacks. DISA SRG-APP-000168 mandates at least one numeric character for covered applications. This is the third control in the four-part character- class composition suite (389-AC-010 through 389-AC-013); when combined with uppercase (AC-010), lowercase (AC-011), and special character (AC-013) requirements, the suite forces passwords to span four distinct character pools, substantially raising the cracking cost floor. Like all character-class controls in this suite, the digit requirement is enforced only when passwordCheckSyntax is on (389-AC-001); confirm that prerequisite before auditing this control.
Check¶
Verify that the minimum digit character requirement is set to 1 or more.
dsconf <instance> pwpolicy get | grep -i passwordmindigits
Expected: passwordMinDigits: 1
Remediation¶
Require at least one numeric digit in the global password policy.
dsconf <instance> pwpolicy set --pwdmindigits=1
References¶
Implementation Notes¶
--pwdmindigits=1 sets the minimum count of digit characters (0-9) required in a password. This setting has no effect unless passwordCheckSyntax is on (see 389-AC-001) - apply and verify 389-AC-001 first. The dsconf pwpolicy get output reports this as passwordMinDigits (LDAP attribute name). Subtree- and user-level policies can override this value; audit with dsconf <instance> pwpolicy list to ensure no lower-level policy removes the digit requirement. Changes apply only to future password-change and password-set operations.