Control: 1.4 Ensure IAM password policy requires minimum length of 14 or greater
Description
Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a certain length and are composed of certain characters.
It is recommended the password policy require a minimum password length 14 characters and contain 1 non-alphabetic character (Number or “Special Character”).
In keeping with the overall goal of having users create a password that is not overly weak, an eight-character minimum password length is recommended for an MFA account, and 14 characters for a password only account. In addition, maximum password length should be made as long as possible based on system/software capabilities and not restricted by policy.
In general, it is true that longer passwords are better (harder to crack), but it is also true that forced password length requirements can cause user behavior that is predictable and undesirable. For example, requiring users to have a minimum 16-character password may cause them to choose repeating patterns like fourfourfourfour or passwordpassword that meet the requirement but aren’t hard to guess. Additionally, length requirements increase the chances that users will adopt other insecure practices, like writing them down, re-using them or storing them unencrypted in their documents.
Password composition requirements are a poor defense against guessing attacks. Forcing users to choose some combination of upper-case, lower-case, numbers, and special characters has a negative impact. It places an extra burden on users and many will use predictable patterns (for example, a capital letter in the first position, followed by lowercase letters, then one or two numbers, and a “special character” at the end). Attackers know this, so dictionary attacks will often contain these common patterns and use the most common substitutions like, $ for s, @ for a, 1 for l, 0 for o.
Passwords that are too complex in nature make it harder for users to remember, leading to bad practices. In addition, composition requirements provide no defense against common attack types such as social engineering or insecure storage of passwords.
Remediation
From Console
OCI Native IAM
- Login to OCI Console.
- Go to
Identityin the Services menu. - Select
Authentication Settingsfrom the Identity menu. - Click
Editin the middle of the page. - Type the number
14into the box below the text:MINIMUM PASSWORD LENGTH (IN CHARACTERS). - Select checkbox next to
MUST CONTAIN AT LEAST 1 SPECIAL CHARACTERORMUST CONTAIN AT LEAST 1 NUMERIC CHARACTER.
OCI Identity Cloud Service (IDCS)
- Login to IDCS Admin Console.
- Expand the Navigation Drawer, click
Settings, and then clickPassword Policy. - Click on
Change Your Password Policybutton. - Update the
Password length min size settingto14. - Click
Save. - Under The
password must contain these characterssection, update the number given inSpecial minsetting to1or Under Thepassword must contain these characterssection, update the number given inNumeric minsetting to1. - Click
Save.
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v200_1_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v200_1_4 --shareSQL
This control uses a named query:
select tenant_id as resource, case when minimum_password_length >= 14 and (is_numeric_characters_required or is_special_characters_required) then 'ok' else 'alarm' end as status, case when minimum_password_length is null then 'No password policy set.' when minimum_password_length >= 14 and (is_numeric_characters_required or is_special_characters_required) then 'Strong password policies configured.' else 'Strong password policies not configured.' end as reason , tenant_name as tenantfrom oci_identity_authentication_policy;