1.3.2 Ensure 'Minimum Length' is greater than or equal to 12

Information

This determines the least number of characters that make up a password for a user account.

Rationale:

A longer password is much more difficult to attack, either directly against administrative interfaces or cryptographically, against captured password hashes. Making a password of greater length will generally have a greater impact in this regard, in comparison to making a shorter password more complex. Passphrases are a commonly used recommendation, to make longer passwords more palatable to end users. Administrative staff however generally use 'password safe' applications, so a long and complex password is more easily implemented for most infrastructure administrative interfaces.

Impact:

Longer passwords are much more difficult to attack. This is true of attacks against the administrative interfaces themselves, or of decryption attacks against captured hashes. A longer password will almost always have a more positive impact than a shorter but more complex password.

Solution

Navigate to Device > Setup > Management > Minimum Password Complexity.
Set Minimum Length to greater than or equal to 12

Default Value:

Not enabled.

See Also

https://workbench.cisecurity.org/benchmarks/13792

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.2

Plugin: Palo_Alto

Control ID: 8f302656faed2a66ca242613f96e94fab4ed26b7de6fb3da3450c82c010b2ef3