Control: 1.4 Ensure IAM password policy requires minimum length of 14 or greater
Description
Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a certain length and are composed of certain characters.
It is recommended the password policy require a minimum password length 14 characters and contain 1 non-alphabetic character (Number or “Special Character”).
In keeping with the overall goal of having users create a password that is not overly weak, an eight-character minimum password length is recommended for an MFA account, and 14 characters for a password only account. In addition, maximum password length should be made as long as possible based on system/software capabilities and not restricted by policy.
In general, it is true that longer passwords are better (harder to crack), but it is also true that forced password length requirements can cause user behavior that is predictable and undesirable. For example, requiring users to have a minimum 16-character password may cause them to choose repeating patterns like fourfourfourfour or passwordpassword that meet the requirement but aren’t hard to guess. Additionally, length requirements increase the chances that users will adopt other insecure practices, like writing them down, re-using them or storing them unencrypted in their documents.
Password composition requirements are a poor defense against guessing attacks. Forcing users to choose some combination of upper-case, lower-case, numbers, and special characters has a negative impact. It places an extra burden on users and many will use predictable patterns (for example, a capital letter in the first position, followed by lowercase letters, then one or two numbers, and a “special character” at the end). Attackers know this, so dictionary attacks will often contain these common patterns and use the most common substitutions like, $ for s, @ for a, 1 for l, 0 for o.
Passwords that are too complex in nature make it harder for users to remember, leading to bad practices. In addition, composition requirements provide no defense against common attack types such as social engineering or insecure storage of passwords.
Remediation
- Go to Identity Domains: https://cloud.oracle.com/identity/domains/.
- Select the Compartment the Domain to remediate is in.
- Click on the Domain to remediate.
- Click on Settings.
- Click on Password policy to remediate.
- Click Edit password rules.
- Update the
Password length (minimum)setting to 14 or greater. - Under The
Passwords must meet the following character requirementssection, update the number given inSpecial (minimum)setting to 1 or greater. or Under ThePasswords must meet the following character requirementssection, update the number given inNumeric (minimum)setting to 1 or greater - Click
Save changes.
Usage
Run the control in your terminal:
powerpipe control run oci_compliance.control.cis_v300_1_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run oci_compliance.control.cis_v300_1_4 --shareSQL
This control uses a named query:
select tenant_id as resource, case when minimum_password_length >= 14 and (is_numeric_characters_required or is_special_characters_required) then 'ok' else 'alarm' end as status, case when minimum_password_length is null then 'No password policy set.' when minimum_password_length >= 14 and (is_numeric_characters_required or is_special_characters_required) then 'Strong password policies configured.' else 'Strong password policies not configured.' end as reason , tenant_name as tenantfrom oci_identity_authentication_policy;