UCF STIG Viewer Logo

The mobile operating system must force the user to change at least two characters of the device unlock password whenever the password is changed.


Overview

Finding ID Version Rule ID IA Controls Severity
KNOX-03-001000 KNOX-03-001000 KNOX-03-001000_rule Medium
Description
If an adversary learns part or all of a password, the adversary can use this information to more easily crack a user's subsequent passwords if the passwords do not differ significantly from one to the next. Requiring a user to change at least two characters in the password is an effective way of preserving the protection provided by password complexity in this context.
STIG Date
Samsung Knox Android 1.0 STIG 2013-05-03

Details

Check Text ( C-KNOX-03-001000_chk )
This check procedure is performed on both the MDM Administration Console and the Samsung Knox Android device.

Check that the appropriate setting is configured on the MDM server.

For example, on the Fixmo Sentinel Administration Console:
1. Ask the MDM administrator to display the "Min Mutation on Change" setting in the "Android Knox Password Restrictions" rule.
2. Verify the value of the setting is 2 or greater.

On the Samsung Knox Android device:
1. Open the device settings.
2. Select "Lock screen".
3. Select "Screen lock".
4. Enter current password.
5. Select "Password".
6. Attempt to enter a password that is the same as the previously existing password with one of its characters changed.

If the configured value of "Min Mutation on Change" is not two or greater on the MDM console, or if the MOS accepts the password with a single character changed, this is a finding.
Fix Text (F-KNOX-03-001000_fix)
Configure the mobile operating system to require at least two characters to be changed when the device unlock password is changed.

For example, on the Fixmo Sentinel Administration Console, set the "Min Mutation on Change" value to 2 or more in the "Android Knox Password Restrictions" rule.