Require passwords to contain at least one special character.
389-AC-013 - severity: high
| Field | Value |
|---|---|
| Control ID | 389-AC-013 |
| Severity | high |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | IA-5(1) |
| DISA SRG | SRG-APP-000169 |
Rationale¶
Special characters (punctuation and symbols) provide the largest per-character entropy gain of any character class because they expand the searchable alphabet beyond the 62-character alphanumeric set to over 90 printable ASCII characters, dramatically increasing the cost of brute-force enumeration. Dictionary attacks that do not model symbol substitution are defeated entirely by their presence. DISA SRG-APP-000169 mandates at least one special character for covered applications. This is the fourth and final control in the character-class composition suite (389-AC-010 through 389-AC-013); when all four are applied together, passwords must span uppercase, lowercase, digit, and symbol pools, making single-class or dual-class cracking strategies infeasible at reasonable password lengths. Like the other three character-class controls, this requirement is enforced only when passwordCheckSyntax is on (389-AC-001) - that gate control must be verified first.
Check¶
Verify that the minimum special character requirement is set to 1 or more.
dsconf <instance> pwpolicy get | grep -i passwordminspecials
Expected: passwordMinSpecials: 1
Remediation¶
Require at least one special character in the global password policy.
dsconf <instance> pwpolicy set --pwdminspecials=1
References¶
Implementation Notes¶
--pwdminspecials=1 sets the minimum count of non-alphanumeric characters required in a password. This setting has no effect unless passwordCheckSyntax is on (see 389-AC-001) - apply and verify 389-AC-001 before auditing this control. The dsconf pwpolicy get output reports this as passwordMinSpecials (LDAP attribute name). Some LDAP client applications or legacy integrations may not support special characters in bind passwords; test client compatibility before enabling this requirement in production and coordinate with application owners to update stored credentials where necessary. Subtree- and user-level policies can override this value; audit with dsconf <instance> pwpolicy list to ensure coverage across all policy scopes.