1.6 Enforce password complexity - minimum password length

Information

Sybase ASE 15.0 and 15.0.1 supports enforcing password complexity via:

. Setting the login mode to Integrated Mode so that password policy is enforced by
the Windows domain.

. A configuration parameter to enforce server-wide, per user account and per role
minimum password length (set to 0 by default)
. A configuration parameter to enforce at least one digit in a password (disabled by
default)

Sybase ASE 15.0.2 supports the above settings as well as more granular password
complexity via:

. A setting to enforce that a login name cannot be a substring of the password.
. A setting to enforce the minimum number of special characters for the password.
. A setting to enforce the minimum number of alphabetic characters for the password
. A setting to enforce the minimum number of upper-case letters for the password.
. A setting to enforce the minimum number of lower-case letters for the password.
. A setting to enforce that the password must be reset is the first time a login is used.
. A setting to enforce the minimum number of digits for the password.


In addition, Sybase ASE 15.0.2 supports the creation of a stored procedure to enforce
custom password complexity requirements.


It is recommended that strong password complexity is enforced in accordance with your
organizations policy. It may not be possible to enforce a sufficient policy on ASE 15.0 and
ASE 15.0.1; if this is the case the System Security Officer should consider one of the
following solutions:

. Upgrade systems to ASE 15.0.2 in order to make use of the more extensive password
complexity options.
. Enable Integrated Mode to rely on the Windows domain password policy.
. Accept the risk associated with the policy conflict and regularly audit password
strength using a password cracking tool.

Rationale:

Arguably the most common cause of database compromise is weak passwords. Setting
password complexity is essential step to ensuring the security and integrity of the data
within the database.

Solution

1. Connect to the ASE server as a user with the sso_role and execute the following
SQL statement in order to set a system-wide minimum password length according
to your organizations password (substitute 8 for an acceptable value):

exec sp_configure 'minimum password length', 8

2. Set a custom minimum password length for specific users and roles as required.
This should not be less than the system-wide length. This can be accomplished via
the sp_modifylogin stored procedure.

3. Execute the following statement to enforce at least one digit in passwords:

exec sp_configure 'check password for digit', 1

See Also

https://workbench.cisecurity.org/files/1612

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(a)

Plugin: SybaseDB

Control ID: 3b21216b69d02da024291c37200f955f988851fe8f449f071fdad0ef8d504b01