2.8 Ensure Password Resets Require Strong Passwords

Information

Disabling password reuse, enforcing password strength, and denying reuse can be implemented to prevent successful usage of stolen or previously guessed passwords by malicious users.

Restricted accounts using passwords on the basis of the number of password changes and length ensure a password cannot be chosen from a specified number of the most recent passwords.

Rationale:

Repeated use of old passwords can increase risk of a compromise. This may lead to access by malicious users who have discovered a user's prior password(s).

Solution

Set a global policy that passwords may not be reused for a minimum of five password changes:

SET PERSIST password_history = 5;

Set a global policy that passwords have a lifetime to approximately one year (in days)

SET PERSIST password_reuse_interval = 365;

Default Value:

Both password_history and password_reuse_interval are 0 (off) by default.

See Also

https://workbench.cisecurity.org/benchmarks/15112

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)

Plugin: MySQLDB

Control ID: feafe01b4ca09c5fa6ba293b961ba0d47df462ea1d56c572242e3580b8b4b169