Samsung Android must be configured to not allow passwords that include more than four repeating or sequential characters.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258628	KNOX-14-110030	SV-258628r931084_rule		Medium

Description
Password strength is a measure of the effectiveness of a password in resisting guessing and brute force attacks. Passwords that contain repeating or sequential characters are significantly easier to guess than those that do not. Therefore, disallowing repeating or sequential characters increases password strength and decreases risk. SFR ID: FMT_SMF_EXT.1.1 #1b

STIG	Date
Samsung Android OS 14 with Knox 3.x COBO Security Technical Implementation Guide	2023-10-18

Details

Check Text ( C-62368r931082_chk )
Review the configuration to determine if the Samsung Android devices are disallowing passwords containing more than four repeating or sequential characters. This validation procedure is performed on both the management tool and the Samsung Android device. On the management tool, in the device password policies, verify "minimum password quality" is set to "Numeric(Complex)" or better. On the Samsung Android device: 1. Open Settings >> Lock screen >> Screen lock type. 2. Authenticate using current method. 3. Tap "PIN". 4. Verify PINs with more than four repeating or sequential numbers are not accepted. If on the management tool "minimum password quality" is not set to "Numeric(Complex)" or better, or on the Samsung Android device a password with more than four repeating or sequential numbers is accepted, this is a finding.

Check Text ( C-62368r931082_chk )

Review the configuration to determine if the Samsung Android devices are disallowing passwords containing more than four repeating or sequential characters.

This validation procedure is performed on both the management tool and the Samsung Android device.

On the management tool, in the device password policies, verify "minimum password quality" is set to "Numeric(Complex)" or better.

On the Samsung Android device:
1. Open Settings >> Lock screen >> Screen lock type.
2. Authenticate using current method.
3. Tap "PIN".
4. Verify PINs with more than four repeating or sequential numbers are not accepted.

If on the management tool "minimum password quality" is not set to "Numeric(Complex)" or better, or on the Samsung Android device a password with more than four repeating or sequential numbers is accepted, this is a finding.

Fix Text (F-62277r931083_fix)
Configure the Samsung Android devices to disallow passwords containing more than four repeating or sequential characters. On the management tool, in the device password policies, set "minimum password quality" to "Numeric(Complex)" or better. If the management tool does not support "Numeric(Complex)" but does support "Numeric", Knox Platform for Enterprise (KPE) can be used to achieve STIG compliance. In this case, configure this policy with value "Numeric" and use an additional KPE policy (innately by the management tool or via Knox Service Plugin [KSP] "Maximum Numeric Sequence Length" with a value of "4".

Fix Text (F-62277r931083_fix)

Configure the Samsung Android devices to disallow passwords containing more than four repeating or sequential characters.

On the management tool, in the device password policies, set "minimum password quality" to "Numeric(Complex)" or better.

If the management tool does not support "Numeric(Complex)" but does support "Numeric", Knox Platform for Enterprise (KPE) can be used to achieve STIG compliance. In this case, configure this policy with value "Numeric" and use an additional KPE policy (innately by the management tool or via Knox Service Plugin [KSP] "Maximum Numeric Sequence Length" with a value of "4".