Passwords do not meet complexity or strength.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17689	RTS-VTC 2024.00	SV-18863r2_rule	DCBP-1 ECSC-1 IAIA-1 IAIA-2	Medium

Description
DoD policy mandates the use of strong passwords. IA control IAIA-1&2 item 2 states “For systems utilizing a logon ID as the individual identifier, ensure passwords are, at a minimum, a case sensitive 8-character mix of upper case letters, lower case letters, numbers, and special characters, including at least one of each (e.g., emPagd2!).” DoDI 8500.2, therefore, sets the minimum complexity requirement for a character based password. This minimum complexity is reiterated by CJCSM 6510.01, C-A, Section 4 which adds the recommendation that “If technically feasible, 12 to 16 characters using a mix of all four-character sets is recommended (e.g., 14 characters using a mix of all four-character sets in the first 7 characters and the last 7 characters).” In some circumstances, policies change as is the result of JTF-GNO CTO 06-02 which has set the minimum password complexity (for systems not using DoD PKI) to 9 characters with “a mix of at least two lowercase letters, two uppercase letters, two numbers, and two special characters. This policy may again be updated to require 15 characters for some systems or devices that do not support CAC/PKI logon where required. Additionally, in situations such as when INFOCON levels are raised, additional requirements can be implemented. An example of this is that in the recent past, the minimum password length was raised from 9 to 15 characters. When the INFOCON level returned to normal, password length reverted to 9 characters. IA requirements can be increased and decreased in conjunction with adjustments in INFOCON levels. Such adjustments in policy and INFOCON level changes will first be reflected in the checklist associated with an effected STIG and subsequently in a STIG update if the change is permanent. While VTC endpoints today typically do not require a username, they do require a password for user access and authentication. The strength of these passwords is an issue for VTUs and is dependent upon the method of entry. The local VTU passwords are entered using the hand-held remote control. The remote control typically has a dial-pad like a telephone and not a full QWERTY keyboard. Using the dial-pad, a user is capable of entering numbers, letters, and two special characters, the * and # signs. Letter entry requires pressing a number key multiple times to scroll through the number and three or four associated letters until the correct letter is accessed. This is the same as text entry on a cell phone. To ensure accuracy of this process, the characters must be displayed on the screen as they are entered. Another method is to utilize an on-screen keyboard that is navigated using arrow keys on the remote control. While these methods are usable for entering names and other information in places such as the directory, it is not usable for password entry. This is because passwords must not be echoed to the screen to prevent password compromise by another person having a view of the screen while entry is taking place. Additionally, password characters can be shoulder surfed as they are entered if the on-screen keyboard method is used. This reduces the password to a number. It is better to protect a number from shoulder surfing than to require a strong password entered locally. Such a number is considered a Personal Identification Number (PIN) not a password. While there is the possibly of using the * and # characters, these characters typically signal special functions in some types of systems, particularly telephone systems. These could be used if, during PIN entry, they do not trigger some other function. Strong passwords along with other measures, as noted in DoD policy, are required for any access method that is received by the VTU across a network. This is because of the potential that a password could be broken by a variety of high speed cracking attacks. Due to the inability to use letters, PINs are very weak passwords. One would think that a PIN should be extra long to make them harder to break. This is not the case if they are not required to be used to access a device remotely across a network. PINs associated with a bank card are only 4 characters because the card is a token that is associated with the PIN. Similarly, DoD CAC cards are tokens with an associated 6 to 8 digit PIN for higher security. Typically, a local VTU PIN entered from a hand-held remote control can support 5 characters, while others can support more, which is preferable. By contrast, most instances of password entry from a remote device or system (e.g., management application/server/terminal/PC, PC for streaming access, pre-configured machine passwords, etc) can utilize a full keyboard. In this case such passwords must be in compliance with DoD policy. VTU password/PIN strength or complexity is therefore dependent upon the entry device. In some cases, a VTU user must enter a “password” through their VTU. In this case, this must be a PIN because of the entry device limitations posed by the hand-held remote control. The mitigation for sending a PIN across the network could be to use it one time and change it. This may not be necessary due to an additional requirement for passwords sent across a network to a remote device per DoDI 8500.2 IA control IAIA-1, which is that they must be encrypted in transit.

Description

DoD policy mandates the use of strong passwords. IA control IAIA-1&2 item 2 states “For systems utilizing a logon ID as the individual identifier, ensure passwords are, at a minimum, a case sensitive 8-character mix of upper case letters, lower case letters, numbers, and special characters, including at least one of each (e.g., emPagd2!).” DoDI 8500.2, therefore, sets the minimum complexity requirement for a character based password. This minimum complexity is reiterated by CJCSM 6510.01, C-A, Section 4 which adds the recommendation that “If technically feasible, 12 to 16 characters using a mix of all four-character sets is recommended (e.g., 14 characters using a mix of all four-character sets in the first 7 characters and the last 7 characters).” In some circumstances, policies change as is the result of JTF-GNO CTO 06-02 which has set the minimum password complexity (for systems not using DoD PKI) to 9 characters with “a mix of at least two lowercase letters, two uppercase letters, two numbers, and two special characters. This policy may again be updated to require 15 characters for some systems or devices that do not support CAC/PKI logon where required. Additionally, in situations such as when INFOCON levels are raised, additional requirements can be implemented. An example of this is that in the recent past, the minimum password length was raised from 9 to 15 characters. When the INFOCON level returned to normal, password length reverted to 9 characters. IA requirements can be increased and decreased in conjunction with adjustments in INFOCON levels. Such adjustments in policy and INFOCON level changes will first be reflected in the checklist associated with an effected STIG and subsequently in a STIG update if the change is permanent. While VTC endpoints today typically do not require a username, they do require a password for user access and authentication. The strength of these passwords is an issue for VTUs and is dependent upon the method of entry. The local VTU passwords are entered using the hand-held remote control. The remote control typically has a dial-pad like a telephone and not a full QWERTY keyboard. Using the dial-pad, a user is capable of entering numbers, letters, and two special characters, the * and # signs. Letter entry requires pressing a number key multiple times to scroll through the number and three or four associated letters until the correct letter is accessed. This is the same as text entry on a cell phone. To ensure accuracy of this process, the characters must be displayed on the screen as they are entered. Another method is to utilize an on-screen keyboard that is navigated using arrow keys on the remote control. While these methods are usable for entering names and other information in places such as the directory, it is not usable for password entry. This is because passwords must not be echoed to the screen to prevent password compromise by another person having a view of the screen while entry is taking place. Additionally, password characters can be shoulder surfed as they are entered if the on-screen keyboard method is used. This reduces the password to a number. It is better to protect a number from shoulder surfing than to require a strong password entered locally. Such a number is considered a Personal Identification Number (PIN) not a password. While there is the possibly of using the * and # characters, these characters typically signal special functions in some types of systems, particularly telephone systems. These could be used if, during PIN entry, they do not trigger some other function. Strong passwords along with other measures, as noted in DoD policy, are required for any access method that is received by the VTU across a network. This is because of the potential that a password could be broken by a variety of high speed cracking attacks. Due to the inability to use letters, PINs are very weak passwords. One would think that a PIN should be extra long to make them harder to break. This is not the case if they are not required to be used to access a device remotely across a network. PINs associated with a bank card are only 4 characters because the card is a token that is associated with the PIN. Similarly, DoD CAC cards are tokens with an associated 6 to 8 digit PIN for higher security. Typically, a local VTU PIN entered from a hand-held remote control can support 5 characters, while others can support more, which is preferable. By contrast, most instances of password entry from a remote device or system (e.g., management application/server/terminal/PC, PC for streaming access, pre-configured machine passwords, etc) can utilize a full keyboard. In this case such passwords must be in compliance with DoD policy. VTU password/PIN strength or complexity is therefore dependent upon the entry device. In some cases, a VTU user must enter a “password” through their VTU. In this case, this must be a PIN because of the entry device limitations posed by the hand-held remote control. The mitigation for sending a PIN across the network could be to use it one time and change it. This may not be necessary due to an additional requirement for passwords sent across a network to a remote device per DoDI 8500.2 IA control IAIA-1, which is that they must be encrypted in transit.

STIG	Date
Video Teleconference STIG	2014-02-11

Details

Check Text ( C-18959r1_chk )
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: Ensure the following regarding all VTU passwords and PINs: - PINs normally entered to the local VTU from the hand-held remote control will contain 6 to 15 or more digits. - Passwords that can be entered from a keyboard (local or remote access) are compliant with current DoD minimum password complexity policy. (e.g., 9 to 15 or more characters with a mix of at least two lowercase letters, two uppercase letters, two numbers, and two special characters (e.g., 3mP@gD2!c). - Passwords/PINs sent across a network are encrypted per DoD standards. - PINs sent across the network to another device using the hand-held remote control will contain 9 to 15 or more digits. Note: This requirement can reduced to a CAT III in the event a 5 digit PIN is entered to the VTU (local access) from the hand-held remote control, or (remote access), if entered from a QWERTY keyboard, a password is used having a case sensitive 8-character mix of upper case letters, lower case letters, numbers, and special characters, including at least one of each (e.g., emPagd2!) Note: During APL testing, this is a finding in the event this requirement is not fully supported and enforced by the VTU. This finding can be reduced to a CAT III in the event the VTU provides support for the requirement but does not enforce password strength and length. Have the IAO or SA demonstrate logging onto the VTU via local and remote access methods. For additional verification, have SA or IAO create an account for auditor and verify that password complexity requirements are met.

Check Text ( C-18959r1_chk )

[IP][ISDN]; Interview the IAO to validate compliance with the following requirement:

Ensure the following regarding all VTU passwords and PINs:
- PINs normally entered to the local VTU from the hand-held remote control will contain 6 to 15 or more digits.
- Passwords that can be entered from a keyboard (local or remote access) are compliant with current DoD minimum password complexity policy. (e.g., 9 to 15 or more characters with a mix of at least two lowercase letters, two uppercase letters, two numbers, and two special characters (e.g., 3mP@gD2!c).
- Passwords/PINs sent across a network are encrypted per DoD standards.
- PINs sent across the network to another device using the hand-held remote control will contain 9 to 15 or more digits.

Note: This requirement can reduced to a CAT III in the event a 5 digit PIN is entered to the VTU (local access) from the hand-held remote control, or (remote access), if entered from a QWERTY keyboard, a password is used having a case sensitive 8-character mix of upper case letters, lower case letters, numbers, and special characters, including at least one of each (e.g., emPagd2!)

Note: During APL testing, this is a finding in the event this requirement is not fully supported and enforced by the VTU. This finding can be reduced to a CAT III in the event the VTU provides support for the requirement but does not enforce password strength and length.

Have the IAO or SA demonstrate logging onto the VTU via local and remote access methods. For additional verification, have SA or IAO create an account for auditor and verify that password complexity requirements are met.

Fix Text (F-17586r1_fix)
[IP][ISDN]; Perform the following tasks: Implement VTUs that enforce password requirements when logging in via any interface. If existing devices do not support this behavior, upgrade as soon as possible.