v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/oci_compliance
Overview
3Dashboards
133Controls
43Queries
2Variables
GitHub

Control: 1.4 Ensure IAM password policy requires minimum length of 14 or greater

Description

Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a certain length and are composed of certain characters.

It is recommended the password policy require a minimum password length 14 characters and contain 1 non-alphabetic character (Number or “Special Character”).

In keeping with the overall goal of having users create a password that is not overly weak, an eight-character minimum password length is recommended for an MFA account, and 14 characters for a password only account. In addition, maximum password length should be made as long as possible based on system/software capabilities and not restricted by policy.

In general, it is true that longer passwords are better (harder to crack), but it is also true that forced password length requirements can cause user behavior that is predictable and undesirable. For example, requiring users to have a minimum 16-character password may cause them to choose repeating patterns like fourfourfourfour or passwordpassword that meet the requirement but aren’t hard to guess. Additionally, length requirements increase the chances that users will adopt other insecure practices, like writing them down, re-using them or storing them unencrypted in their documents.

Password composition requirements are a poor defense against guessing attacks. Forcing users to choose some combination of upper-case, lower-case, numbers, and special characters has a negative impact. It places an extra burden on users and many will use predictable patterns (for example, a capital letter in the first position, followed by lowercase letters, then one or two numbers, and a “special character” at the end). Attackers know this, so dictionary attacks will often contain these common patterns and use the most common substitutions like, $ for s, @ for a, 1 for l, 0 for o.

Passwords that are too complex in nature make it harder for users to remember, leading to bad practices. In addition, composition requirements provide no defense against common attack types such as social engineering or insecure storage of passwords.

Remediation

From Console

OCI Native IAM

  1. Login to OCI Console.
  2. Go to Identity in the Services menu.
  3. Select Authentication Settings from the Identity menu.
  4. Click Edit in the middle of the page.
  5. Type the number 14 into the box below the text: MINIMUM PASSWORD LENGTH (IN CHARACTERS).
  6. Select checkbox next to MUST CONTAIN AT LEAST 1 SPECIAL CHARACTER OR MUST CONTAIN AT LEAST 1 NUMERIC CHARACTER.

OCI Identity Cloud Service (IDCS)

  1. Login to IDCS Admin Console.
  2. Expand the Navigation Drawer, click Settings, and then click Password Policy.
  3. Click on Change Your Password Policy button.
  4. Update the Password length min size setting to 14.
  5. Click Save.
  6. Under The password must contain these characters section, update the number given in Special min setting to 1 or Under The password must contain these characters section, update the number given in Numeric min setting to 1.
  7. Click Save.

Usage

Run the control in your terminal:

powerpipe control run oci_compliance.control.cis_v200_1_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run oci_compliance.control.cis_v200_1_4 --share

SQL

This control uses a named query:

identity_authentication_password_policy_strong_min_length_14

Tags

category = Compliance
cis = true
cis_item_id = 1.4
cis_level = 1
cis_section_id = 1
cis_type = automated
cis_version = v2.0.0
plugin = oci
service = OCI/Identity