Detections
Analytics

24.5 (L1) Ensure 'Min Device Password Length' is set to '14 or more character(s)'

Information

This policy setting determines the least number of characters that make up a password for a local user account. There are many different theories about how to determine the best password length for an organization, but perhaps 'passphrase' is a better term than 'password.' In Microsoft Windows 2000 or newer, passphrases can be quite long and can include spaces. Therefore, a phrase such as 'I want to drink a $5 milkshake' is a valid passphrase; it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember. Users must be educated about the proper selection and maintenance of passwords, especially around password length. In enterprise environments, the ideal value for the Minimum password length setting is 14 characters, however you should adjust this value to meet your organization's business requirements.

The recommended state for this setting is: 14 or more character(s)

Types of password attacks include dictionary attacks (which attempt to use common words and phrases) and brute force attacks (which try every possible combination of characters). Also, attackers sometimes try to obtain the account database so they can use tools to discover the accounts and passwords.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to 14 or more character(s) :

Device Lock\Device Password Enabled: Min Device Password Length

Impact:

Requirements for extremely long passwords can actually decrease the security of an organization, because users might leave the information in an insecure location or lose it. If very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of help desk calls. If your organization has issues with forgotten passwords due to password length requirements, consider teaching your users about passphrases, which are often easier to remember and, due to the larger number of character combinations, much harder to discover.

Warning: If an organization is using Windows Hello for Business the the Device Lock password settings can impact PIN polices if those policies are not first defined elsewhere. Windows will follow the Windows Hello for Business policies for PINs if this key exists: HKLM\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\Device\Policies Otherwise, it will follow Device Lock policies.

This benchmark recommends configuring Device Lock policies for Local User accounts and Windows Hello for Business policies for PINs

Note:

Windows Autopilot - Policy Conflicts

: The out-of-box experience (OOBE) or user desktop auto logon can fail when a device reboots during the device Enrollment Status Page (ESP). This failure can occur when certain DeviceLock policies are applied to a device. An exception to this recommendation might be needed is Windows AutoPilot if used.

See Also

https://workbench.cisecurity.org/benchmarks/16852

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4, CSCv7|16.2

Plugin: Windows

Control ID: 2e0e52cd4528195c627af462554150fe2445bd1365768d7beeddc2e7e51f134b