1.5 Ensure minimum password length is set to 14 characters or more

Information

To mitigate the risk of unauthorized access to a Snowflake account through easily guessable password, Snowflake enforces the following password policy as a minimum requirement while using the ALTER USER command and the web interface:

- Must be at least 8 characters long.
- Must contain at least 1 digit.
- Must contain at least 1 uppercase letter and 1 lowercase letter.

Snowflake password policies

can be used to specify and enforce further constraints on password length and complexity.

Snowflake supports setting a password policy for your Snowflake account and for individual users. Only one password policy can be set at any given time for your Snowflake account or a user. If a password policy exists for the Snowflake account and another password policy is set for a user in the same Snowflake account, the user-level password policy takes precedence over the account-level password policy.

The password policy applies to new passwords that are set in your Snowflake account. To ensure that users with existing passwords meet the password policy requirements, require users to change their password during their next login to Snowflake as shown in

Step 6: Require a Password Change

.

While Snowflake recommends configuring SSO authentication for users and ensuring that SSO users do not have a password set, there may be exceptions when users still need to log in with a password (e.g., setting up a break-glass user with password login to recover from SSO outages). For those few users that still need to have a password, setting a password policy can help ensure that, throughout subsequent password changes, the passwords used remain complex and therefore harder to guess or brute-force.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Follow the following steps to set and enforce a password policy:

-

Create the password policy if it does not exist:

CREATE PASSWORD POLICY <password_policy> PASSWORD_MIN_LENGTH = 14 PASSWORD_MAX_AGE_DAYS = 0;
-

Set password policy on the account level:

ALTER ACCOUNT SET PASSWORD POLICY <password_policy>;

Note: It may take up to 2 hours for the password policies created to show up in the account usage view. For more information on latency, see the

Data latency for Account Usage

documentation.

Impact:

None.

See Also

https://workbench.cisecurity.org/benchmarks/14781

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Snowflake

Control ID: 11de84c5c1472cffd2d5e1362965db728029c04e1536726b4088ab40c4154fc5